Exploit the possiblities

Apple Support iOS Application 1.1.1 Unencrypted Third Party Analytics

Apple Support iOS Application 1.1.1 Unencrypted Third Party Analytics
Posted Oct 24, 2017
Authored by David Coomber

Apple Support iOS application versions 1.1.1 and below send potentially sensitive information such as mobile carrier, install date and time, number of app launches, device model, iOS version and screen resolution, unencrypted to a third party site (Adobe Marketing Cloud).

tags | advisory
systems | apple, ios
advisories | CVE-2017-7147
MD5 | 228b93dcbffcf65f58e7495bb25a4bb0

Apple Support iOS Application 1.1.1 Unencrypted Third Party Analytics

Change Mirror Download
Apple Support iOS Application - Unencrypted Third Party Analytics (CVE-2017-7147)

Overview

"Need help? Apple Support app is your personalized guide to the best options from Apple. Find answers with articles tailored to your products and questions. Call, chat or email with an expert right away, or schedule a callback when itas convenient. Get a repair at an Apple Store or a nearby Apple Authorized Service Provider. Apple Support is here to help."

(https://itunes.apple.com/us/app/apple-support/id1130498044)

Issue

The Apple Support iOS application (version 1.1.1 and below) sends potentially sensitive information such as mobile carrier, install date and time, number of app launches, device model, iOS version and screen resolution, unencrypted to a third party site (Adobe Marketing Cloud).

Impact

An attacker who can monitor network traffic could capture potentially sensitive information about the iOS device without the user's knowledge.

Timeline

June 16, 2017 - Notified Apple via product-security@apple.com
June 16, 2017 - Apple sent an auto acknowledgment
June 16, 2017 - Apple responded stating that they are investigating
July 10, 2017 - Asked for a status update
July 10, 2017 - Apple responded stating that they are still investigating
August 21, 2017 - Asked for a status update
August 21, 2017 - Apple responded stating that they are still investigating
August 30, 2017 - Apple released version 1.2 which sends the analytics data over an encrypted connection
October 17, 2017 - Apple published a security advisory to document the issue

Solution

Upgrade to version 1.2 or later

https://support.apple.com/en-ca/HT208201
https://support.apple.com/en-us/HT201222

CVE-ID: CVE-2017-7147

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close