March 11th, 2009
Rigged podcasts can leak your iTunes username/password
Hackers can create malicious podcasts to hijack usernames and passwords from Apple’s iTunes software.
According to a warning from Apple, a “design issue” in the iTunes podcast feature can be abused via rigged audio files to cause an authentication dialog to be presented to the user. From that dialog, a hacker can hijack iTunes credentials and upload it to the podcast server.
[ SEE: Apple plugs gaping iTunes hole, doesn't tell everyone ]
From Apple’s advisory:
- A design issue exists in the iTunes podcast feature. A subscription to a malicious podcast may cause an authentication dialog to be presented to the user. This dialog may entice the user to send iTunes credentials to the podcast server.
Apple has shipped a patch in iTunes 8.1 to clarify the origin of the authentication request in the dialog box.
The iTunes update also corrects a denial-of-service flaw that can be caused via maliciously crafted DAAP messages.
- An infinite loop exists in the handling of iTunes Digital Audio Access Protocol (DAAP) messages. Sending a message containing a maliciously crafted Content-Length parameter in the DAAP header may lead to a denial of service. This update addresses the issue by performing additional validation of DAAP messages.
The denial -of-service bug does not affect Mac OS X systems.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
