Cross Site Scripting and Apple.com

July 22nd, 2005

Apple.com was recently discovered to have three serious Cross Site Scripting (XSS) vulnerabilities. Andrew Austin, independent researcher said he was checking out apple.com to buy a new ibook when he discovered the security holes. As the site loaded he immediately noticed a search box at the bottom of the page. Unable to resist testing, he entered in a bit of javascript that would indicate if the code was vulnerable to malicious injection or not.

He thought he wasting his time, as surely a company like Apple would have invested money into pen testing their web based applications to avoid serious security flaws. It was a surprise to him, however, that the site was vulnerable. After emailing Apple about the first vulnerability he quickly found two more, one within the code of Apple’s online store.

Apple indicated that they were thankful for Andrew’s discovery the the vulnerabilities and invited him to continue further testing.

Entry Filed under: Web Application Security

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

Calendar

July 2005
M T W T F S S
    Jan »
 123
45678910
11121314151617
18192021222324
25262728293031

Most Recent Posts