Queue poisoning attacks allegedly put accounts at risk of takeover

UPDATED A security researcher claims they netted $36,000 in bug bounties after uncovering critical HTTP request smuggling vulnerabilities affecting three of Apple’s core web applications.

The bug hunter, a 20-year-old hacker going by the online moniker ‘Stealthy’, said they deployed the same technique to achieve queue poisoning on the domains, paving the way to data disclosure and account takeover with no user interaction required.

The bugs supposedly affected servers for business.apple.com and school.apple.com, which businesses and schools respectively use to manage devices, apps, and accounts, as well as mapsconnect.apple.com, which organizations use to claim and manage business listings on Apple’s maps application.


RELATED HTTP request smuggling bug patched in mitmproxy


The HTTP request smuggling flaws were CL.TE – or ‘Content-Length Transfer-Encoding’ – issues, whereby “the front-end server reads the Content-Length header in a request, and the backend server reads the Transfer-Encoding header”, Stealthy explained in a Medium blog post.

Vulnerabilities arise because the servers disagree on where requests begin and end.

Redirecting live users

“A transformation was needed in the Transfer-Encoding header on Apple’s websites using a newline character and then a space in the header name,” said Stealthy.

This change – Transfer-Encoding\n : chunked – “successfully slipped the header past the frontend server but [it] was still used by the backend”.

Based on this observation Stealthy crafted the first proof of concept.

“My smuggled path is /static/docs because a redirect occurs there, using the Host header value in the redirect,” continued the researcher. “Thus, I could redirect live users to my server to ensure that the request smuggling affects production users.”


Catch up on the latest Apple security news


This would enable attackers to redirect JavaScript imports and achieve stored cross-site scripting (XSS) on the host.

More impactful still was the servers’ vulnerability to queue poisoning, an attack technique that “smuggles a complete request and breaks the response queue, which will start sending random responses to unintended users”.

All response data, including Set-Cookie headers, could be disclosed by this technique, the researcher claims.

“Queue poisoning is the most effective technique to prove critical impact with request smuggling,” Stealthy told The Daily Swig.

“I highly recommend that researchers attempt to use it in a safe way when reporting request smuggling to programs.”

Apple responded to the bug report quickly, remediated the vulnerabilities, and paid Stealthy a $12,000 bug bounty reward for each domain, said the researcher.

Apple did not respond to The Daily Swig’s request for comment.


This article was updated on April 8 with additional comment from security researcher ‘Stealthy’.


RECOMMENDED New differential fuzzing tool reveals novel HTTP request smuggling techniques