Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Flaw in Apple Music for Android Exposes User Data

An update released this week by Apple for the Apple Music application for Android addresses a certificate validation issue that can be exploited to intercept potentially sensitive data.

An update released this week by Apple for the Apple Music application for Android addresses a certificate validation issue that can be exploited to intercept potentially sensitive data.

In addition to a new design and new features, version 2.0 of Apple Music for Android, which according to Google Play has between 10 and 50 million installs, patches a vulnerability that can allow a man-in-the-middle (MitM) attacker to obtain user information.

The vulnerability, tracked as CVE-2017-2387, was reported to Apple by David Coomber of Info-Sec.CA back in August 2016. At the time, the researcher determined that the flaw had affected Apple Music 1.2.1 and earlier versions of the Android app.

In an advisory published this week, Coomber said he asked Apple for a status update in January, and the company said it had still been working on addressing the security hole.

The problem, according to the researcher, was that the app did not validate the SSL certificates received when connecting to the login and payment servers.

“An attacker who can perform a man in the middle attack may present bogus SSL certificates which the application will accept silently,” Coomber explained in his advisory. “Sensitive information could be captured by an attacker without the user’s knowledge.”

It’s worth noting that this appears to be the first security advisory released by Apple for the Music app. The Android application was introduced in November 2015.

Related: WikiLeaks Releases Data on CIA’s Apple Hacking Tools

Related: Apple Patches Hundreds of Vulnerabilities Across Product Lines

Related: Apple Patches Code Execution Flaw in GarageBand

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.