Apple’s website has been hit by a cross site scripting and SQL injection vulnerability. The SQL injection vulnerability gave access to the data stored in the underlying databases. The Anonymous collective disclosed the SQL injection vulnerability in a survey script hosted on the Apple Business Intelligence (abs.apple.com) website. The database type was identified as MySQL and the whole database was dumped.
Iframe injection
Also, an independent hacker known as Idahc disclosed vulnerabilities on an Apple site. The hacker was able to figure out XSS and SQL injection vulnerability in apple’s website. XSS weakness can be exploited to inject iframes into the page by directing victims to a specially-crafted URL. This type of flaw can be used to enhance phishing or malware distribution attacks. The pastebin disclosure can be read here. It seems that big corps are less worried of their security and least bother are the site administrator. These kind of vulnerabilities are listed on the OWASP top 10 list and SQL injection attack topped the list of dangerous attack vectors. A little more awareness is required to cope up with these misleading. After all, security is the biggest concern we have in the cyber space today.
