Apple site vulnerability exposed by Abir Atarthy: Apple sent appraisal letter!

The Apple website is not secure.  While surfing  the Apple site http://www.apple.com/ I have found   several  encryption  related vulnerabilities.   Here  are those:-

1) www.apple.com site is supporting SSL 2.0(on port 443) cipher with weak encryption as follows:
DES -CBC-MD5- 56 bits.
EXP-RC2-CBC-MD5 40 bits.
EXP-RC4-MD5- 40 bits.

Recommendation:- pls. remove the support of SSL 2.0.
as it is outdated weak encryption. Any encryption below 128 bit is weak.

2) in SSL v3.0  the site is supporting few weak encryption as follows which a malicious user can exploit.
EXP-DES-CBC-SHA 40 bits.
EXP-RC2-CBC-MD5 40 bits
EXP-RC4-MD5 40 bits.
Recommendation:- pls. remove the support of all these weak weak encryption. Any encryption below 128 bit is weak.

3) The site is supporting TLS v1 which is strong but the following encryption in TLS should be removed
EXP-DES-CBC-SHA 40 bits.

4)The webserver /lib/prototype.js    file is affected.

This page does not exist. By requesting a page that does not exist more fully qualified path names were found. From this

information an attacker may learn the file system structure  from the webserver. This information can be used to conduct

further attacks.

Recommendation: The information should not be available to the user. You need to configure your server or web

application not to return this information.

5)A possible sensitive directory had been found at following directories.
/CVS, /data, /downloads, /downloads/scripts, /global, /hotnews/scripts, /reseller,
It looks for common sensitive resources like back up directories, database dumps, administration pages.
Each one of these directories  could help an attacker  to learn more about the target.
This directory may expose sensitive information that could make a malicious user to prepare for further attack.
Recommendation:-  Restrict access to this directories or remove it.

I have mailed it to Apple team along with countermeasures.

Apple  development center has sent me an appraisal  letter.  Here is the part of the letter.

appraisal  letter from Apple:-

Follow-up:  162664922


Re: Apple Developer Feedback

Hello Abir,

Thank you for contacting Apple Developer Support regarding the Developer website.

We appreciate that you have taken the time to send us your feedback. Please be assured that all of your comments have been forwarded to the appropriate Apple team.

If you have further questions or comments, please let us know.

Best regards,

Madoka Nakamura
Apple Developer Support

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: