Apple Music Android Application - Insecure Transport (CVE-2023-32427) - Info-Sec.CA

Overview

"Stream over 100 million songs, all ad-free."

(https://play.google.com/store/apps/details?id=com.apple.android.music)

Issue

The Apple Music Android application (version 4.1.0 was tested), makes the initial request insecurely when choosing 'Provide Feedback' within the app.

Impact

An attacker who can perform a man in the middle attack may be able to redirect the 'Provide Feedback' request to a page that they control, potentially being able to capture sensitive information without the user's knowledge.

Timeline

January 11, 2023 - Notified Apple via product-security@apple.com
January 11, 2023 - Apple sent an auto acknowledgment
January 12, 2023 - Apple responded stating that they are investigating
February 16, 2023 - Apple confirmed the issue
April 11, 2023 - Asked if Apple could provide a timeline for an updated version to be available
April 18, 2023 - Apple responded stating that the issue has been fixed in the latest public beta (4.2.0 beta)
July 27, 2023 - Apple published a security advisory

Solution

Upgrade to version 4.2.0 or later

https://support.apple.com/en-us/HT213833
https://support.apple.com/en-us/HT201222

CVE-ID:

CVE-2023-32427

Questions?

Contact Information

Info-Sec.CA