High street banks are losing the battle against fraud as criminals switch tactics to directly target customers . Efforts by lenders to bolster their IT defences against hackers have simply encouraged fraudsters to bombard individual customers with scams , according to Financial Fraud Action UK . Despite investing millions in tackling fraud , losses from fraud rose last year as banks became less effective at preventing scams . Financial Fraud Action UK said this was ‘ largely due to criminals shifting their methods away from using malware attacks on online banking systems , which bank security processes identified ’ . Increasingly , it said , fraudsters are focussing on targeting individuals directly , which is harder for banks to stop . The report said the main ploy used by criminals is the ‘ impersonation and deception scam ’ whereby they pretend to be Attack.Phishing from a ‘ legitimate and trusted organisation ’ such as a bank , the police , a utility company or a government department . These scams typically involve the fraudster contacting Attack.Phishing the customer through a phone call , text message or email . Often the fraudster will claim Attack.Phishing there has been suspicious activity on an account , ask the individual to verify or update their account details , or claim Attack.Phishing they are due a refund . The criminal then attempts to trick Attack.Phishing the target into giving away their personal or financial information , such as passwords , payment card details or bank account information . Financial Fraud Action UK – which represents banks - said its intelligence suggests criminals have also recently increased their focus on ‘ phishing ’ emails claiming to be Attack.Phishing from major online retailers and internet companies . It warned these emails are an ‘ increasingly sophisticated ’ attempt to trick Attack.Phishing recipients into giving away personal and financial details , or into downloading malware software which hacks into their computers . Several banks have been targeted by high profile cyber attacks that have attempted to exploit weaknesses in their IT systems . Last November criminals launched an online attack against Tesco Bank that resulted in the loss of £2.5million from 9,000 accounts . Others to have been targeted include Royal Bank of Scotland and NatWest , Lloyds and HSBC . The threat to Britain ’ s financial infrastructure from persistent cyber-attacks prompted chancellor Philip Hammond to commit an extra £1.9billion in the autumn statement to boost Britain ’ s defences against the growing online threat .

High street banks are losing the battle against fraud as criminals switch tactics to directly target customers . Efforts by lenders to bolster their IT defences against hackers have simply encouraged fraudsters to bombard individual customers with scams , according to Financial Fraud Action UK . Despite investing millions in tackling fraud , losses from fraud rose last year as banks became less effective at preventing scams . Financial Fraud Action UK said this was ‘ largely due to criminals shifting their methods away from using malware attacks on online banking systems , which bank security processes identified ’ . Increasingly , it said , fraudsters are focussing on targeting individuals directly , which is harder for banks to stop . The report said the main ploy used by criminals is the ‘ impersonation and deception scam ’ whereby they pretend to be Attack.Phishing from a ‘ legitimate and trusted organisation ’ such as a bank , the police , a utility company or a government department . These scams typically involve the fraudster contacting Attack.Phishing the customer through a phone call , text message or email . Often the fraudster will claim Attack.Phishing there has been suspicious activity on an account , ask the individual to verify or update their account details , or claim Attack.Phishing they are due a refund . The criminal then attempts to trick Attack.Phishing the target into giving away their personal or financial information , such as passwords , payment card details or bank account information . Financial Fraud Action UK – which represents banks - said its intelligence suggests criminals have also recently increased their focus on ‘ phishing ’ emails claiming to be Attack.Phishing from major online retailers and internet companies . It warned these emails are an ‘ increasingly sophisticated ’ attempt to trick Attack.Phishing recipients into giving away personal and financial details , or into downloading malware software which hacks into their computers . Several banks have been targeted by high profile cyber attacks that have attempted to exploit weaknesses in their IT systems . Last November criminals launched an online attack against Tesco Bank that resulted in the loss of £2.5million from 9,000 accounts . Others to have been targeted include Royal Bank of Scotland and NatWest , Lloyds and HSBC . The threat to Britain ’ s financial infrastructure from persistent cyber-attacks prompted chancellor Philip Hammond to commit an extra £1.9billion in the autumn statement to boost Britain ’ s defences against the growing online threat .

Technology companies are starting to respond to a new Wi-Fi exploit affecting Vulnerability-related.DiscoverVulnerability all modern Wi-Fi networks using WPA or WPA2 encryption . The security vulnerabilities allow attackers to read Wi-Fi traffic between devices and wireless access points , and in some cases even modify it to inject malware into websites . Security researchers claim Vulnerability-related.DiscoverVulnerability devices running macOS , Windows , iOS , Android , and Linux will be affected Vulnerability-related.DiscoverVulnerability by the vulnerabilities . Microsoft says it has already fixed Vulnerability-related.PatchVulnerability the problem for customers running supported versions of Windows . “ We have released Vulnerability-related.PatchVulnerability a security update to address Vulnerability-related.PatchVulnerability this issue , ” says a Microsoft spokesperson in a statement to The Verge . “ Customers who apply Vulnerability-related.PatchVulnerability the update , or have automatic updates enabled , will be protected . We continue to encourage customers to turn on automatic updates to help ensure they are protected. ” Microsoft says the Windows updates released Vulnerability-related.PatchVulnerability on October 10th protect customers , and the company “ withheld disclosure Vulnerability-related.DiscoverVulnerability until other vendors could develop and release Vulnerability-related.PatchVulnerability updates. ” While it looks like Android and Linux devices are affected Vulnerability-related.DiscoverVulnerability by the worst part of the vulnerabilities , allowing attackers to manipulate websites , Google has promised Vulnerability-related.PatchVulnerability a fix for affected devices “ in the coming weeks. ” Google ’ s own Pixel devices will be the first to receive Vulnerability-related.PatchVulnerability fixes with security patch level of November 6 , 2017 , but most other handsets are still well behind even the latest updates . Security researchers claim Vulnerability-related.DiscoverVulnerability 41 percent of Android devices are vulnerable Vulnerability-related.DiscoverVulnerability to an “ exceptionally devastating ” variant of the Wi-Fi attack that involves manipulating traffic , and it will take time to patch Vulnerability-related.PatchVulnerability older devices . The Verge has reached out to a variety of Android phone makers to clarify when security patches will reach Vulnerability-related.PatchVulnerability handsets , and we ’ ll update you accordingly . At the time of writing , Apple has not yet clarified Vulnerability-related.DiscoverVulnerability whether the latest versions of macOS and iOS are vulnerable Vulnerability-related.DiscoverVulnerability . The Wi-Fi Alliance , a network of companies responsible for Wi-Fi , has responded to the disclosure Vulnerability-related.DiscoverVulnerability of the vulnerabilities . “ This issue can be resolved Vulnerability-related.PatchVulnerability through straightforward software updates , and the Wi-Fi industry , including major platform providers , has already started deploying Vulnerability-related.PatchVulnerability patches to Wi-Fi users , ” says a Wi-Fi Alliance spokesperson . “ Users can expect all their Wi-Fi devices , whether patched or unpatched Vulnerability-related.PatchVulnerability , to continue working well together. ” Apple also confirmed to both The Verge and AppleInsider that the vulnerability is patched Vulnerability-related.PatchVulnerability in a beta version of the current operating systems . The fix should go public Vulnerability-related.PatchVulnerability in a few weeks , so iOS and macOS devices are n't in the clear just yet . AppleInsider also reports that AirPort hardware , including the Time Machine , AirPort Extreme base station , and AirPort Express do not have a patch . The publication 's source also was n't sure if one was in the works .

Technology companies are starting to respond to a new Wi-Fi exploit affecting Vulnerability-related.DiscoverVulnerability all modern Wi-Fi networks using WPA or WPA2 encryption . The security vulnerabilities allow attackers to read Wi-Fi traffic between devices and wireless access points , and in some cases even modify it to inject malware into websites . Security researchers claim Vulnerability-related.DiscoverVulnerability devices running macOS , Windows , iOS , Android , and Linux will be affected Vulnerability-related.DiscoverVulnerability by the vulnerabilities . Microsoft says it has already fixed Vulnerability-related.PatchVulnerability the problem for customers running supported versions of Windows . “ We have released Vulnerability-related.PatchVulnerability a security update to address Vulnerability-related.PatchVulnerability this issue , ” says a Microsoft spokesperson in a statement to The Verge . “ Customers who apply Vulnerability-related.PatchVulnerability the update , or have automatic updates enabled , will be protected . We continue to encourage customers to turn on automatic updates to help ensure they are protected. ” Microsoft says the Windows updates released Vulnerability-related.PatchVulnerability on October 10th protect customers , and the company “ withheld disclosure Vulnerability-related.DiscoverVulnerability until other vendors could develop and release Vulnerability-related.PatchVulnerability updates. ” While it looks like Android and Linux devices are affected Vulnerability-related.DiscoverVulnerability by the worst part of the vulnerabilities , allowing attackers to manipulate websites , Google has promised Vulnerability-related.PatchVulnerability a fix for affected devices “ in the coming weeks. ” Google ’ s own Pixel devices will be the first to receive Vulnerability-related.PatchVulnerability fixes with security patch level of November 6 , 2017 , but most other handsets are still well behind even the latest updates . Security researchers claim Vulnerability-related.DiscoverVulnerability 41 percent of Android devices are vulnerable Vulnerability-related.DiscoverVulnerability to an “ exceptionally devastating ” variant of the Wi-Fi attack that involves manipulating traffic , and it will take time to patch Vulnerability-related.PatchVulnerability older devices . The Verge has reached out to a variety of Android phone makers to clarify when security patches will reach Vulnerability-related.PatchVulnerability handsets , and we ’ ll update you accordingly . At the time of writing , Apple has not yet clarified Vulnerability-related.DiscoverVulnerability whether the latest versions of macOS and iOS are vulnerable Vulnerability-related.DiscoverVulnerability . The Wi-Fi Alliance , a network of companies responsible for Wi-Fi , has responded to the disclosure Vulnerability-related.DiscoverVulnerability of the vulnerabilities . “ This issue can be resolved Vulnerability-related.PatchVulnerability through straightforward software updates , and the Wi-Fi industry , including major platform providers , has already started deploying Vulnerability-related.PatchVulnerability patches to Wi-Fi users , ” says a Wi-Fi Alliance spokesperson . “ Users can expect all their Wi-Fi devices , whether patched or unpatched Vulnerability-related.PatchVulnerability , to continue working well together. ” Apple also confirmed to both The Verge and AppleInsider that the vulnerability is patched Vulnerability-related.PatchVulnerability in a beta version of the current operating systems . The fix should go public Vulnerability-related.PatchVulnerability in a few weeks , so iOS and macOS devices are n't in the clear just yet . AppleInsider also reports that AirPort hardware , including the Time Machine , AirPort Extreme base station , and AirPort Express do not have a patch . The publication 's source also was n't sure if one was in the works .

A severe WordPress vulnerability which has been left a year without being patched Vulnerability-related.PatchVulnerability has the potential to disrupt countless websites running the CMS , researchers claim Vulnerability-related.DiscoverVulnerability . At the BSides technical cybersecurity conference in Manchester on Thursday , Secarma researcher Sam Thomas said Vulnerability-related.DiscoverVulnerability the bug permits attackers to exploit the WordPress PHP framework , resulting in a full system compromise . If the domain permits the upload of files , such as image formats , attackers can upload a crafted thumbnail file in order to trigger a file operation through the `` phar : // '' stream wrapper . In turn , the exploit triggers eXternal Entity ( XXE -- XML ) and Server Side Request Forgery ( SSRF ) flaws which cause unserialization in the platform 's code . While these flaws may only originally result in information disclosure and may be low risk , they can act as a pathway to a more serious remote code execution attack . The security researcher says Vulnerability-related.DiscoverVulnerability the core vulnerability , which is yet to receive a CVE Vulnerability-related.DiscoverVulnerability number , is within the wp_get_attachment_thumb_file function in /wpincludes/post.php and when attackers gain control of a parameter used in the `` file_exists '' call , '' the bug can be triggered . Unserialization occurs when serialized variables are converted back into PHP values . When autoloading is in place , this can result in code being loaded and executed , an avenue attackers may exploit in order to compromise PHP-based frameworks . `` Unserialization of attacker-controlled data is a known critical vulnerability , potentially resulting in the execution of malicious code , '' the company says . The issue of unserialization was first uncovered Vulnerability-related.DiscoverVulnerability back in 2009 , and since then , vulnerabilities have been recognized Vulnerability-related.DiscoverVulnerability in which the integrity of PHP systems can be compromised , such as CVE-2017-12934 , CVE-2017-12933 , and CVE-2017- 12932 . The WordPress content management system ( CMS ) is used by millions of webmasters to manage domains , which means the vulnerability potentially has a vast victim pool should the flaw being exploited Vulnerability-related.DiscoverVulnerability in the wild . `` I 've highlighted that the unserialization is exposed to a lot of vulnerabilities that might have previously been considered quite low-risk , '' Thomas explainde . `` Issues which they might have thought were fixed Vulnerability-related.PatchVulnerability with a configuration change or had been considered quite minor previously might need to be reevaluated in the light of the attacks I demonstrated . '' According to Secarma , the CMS provider was made aware Vulnerability-related.DiscoverVulnerability of the security issue in February 2017 , but `` is yet to take action . '' TechRepublic : The need for speed : Why you should optimize your CMS Technical details have been provided in a white paper ( .PDF ) . `` This research continues a worrying recent trend , in demonstrating that object ( un ) serialization is an integral part of several modern languages , '' Thomas said . `` We must constantly be aware of the security impact of such mechanisms being exposed to attackers . '' No reports have been received which suggest the exploit is being actively used in the wild . The vulnerability was originally reported Vulnerability-related.DiscoverVulnerability through the WordPress HackerOne bug bounty program last year . The issue was confirmed Vulnerability-related.DiscoverVulnerability after several days and Thomas was credited for his findings . However , a Secarma spokesperson told ZDNet that while there was `` some attempt to fix Vulnerability-related.PatchVulnerability the issue '' in May 2017 , this did not address Vulnerability-related.PatchVulnerability the problem . `` Communication then went dead for a number of months and has only recently begun again , '' the spokesperson added . ZDNet has reached out to WordPress and will update if we hear back .

A privilege escalation flaw in McAfee 's True Key software remains open to exploitation despite multiple attempts to patch Vulnerability-related.PatchVulnerability it . This according to researchers with security shop Exodus Intel , who claim Vulnerability-related.DiscoverVulnerability that CVE-2018-6661 was not fully addressed Vulnerability-related.PatchVulnerability with either of the two patches McAfee released Vulnerability-related.PatchVulnerability for it . The flaw is an elevation of privilege issue in McAfee 's TrueKey password manager . An exploit can be carried out on a guest account by side-loading a specially-crafted DLL into True Key that would then allow for commands and code to be executed with system-level privileges . McAfee 's summary of the flaw , published Vulnerability-related.DiscoverVulnerability on March 30 , lists it as a 'high ' severity issue that was patched Vulnerability-related.PatchVulnerability in version 4.20.110 - which was released Vulnerability-related.PatchVulnerability in April . Exodus says that the April release did n't fully fix Vulnerability-related.PatchVulnerability the bug , however . The researchers explain that McAfee 's patch only addresses Vulnerability-related.PatchVulnerability one of the libraries ( SDKLibAdapter ) that would allow the attack to take place , with another DLL ( NLog logging library ) being left vulnerable Vulnerability-related.DiscoverVulnerability to the same side-loading tactic . `` The patch is incomplete because it overlooks this and hence the nlog.dll can be utilized to allow arbitrary code execution just as the McAfee.TrueKey.SDKLibAdapter.dll could be used in versions prior to the patch , '' Exodus researchers Omar El-Domeiri and Gaurav Baruah said . `` Furthermore , any other McAfee signed binary can be used to exploit the vulnerability as long as the binary depends on a DLL outside the list of known DLLs . '' Exodus said Vulnerability-related.DiscoverVulnerability that it notified Vulnerability-related.DiscoverVulnerability McAfee of the issue back in August , prompting Vulnerability-related.PatchVulnerability a second patch that , unfortunately , also failed to fully remedy Vulnerability-related.PatchVulnerability the issue . `` However , we tested the latest version available ( 5.1.173.1 as of September 7th , 2018 ) and found Vulnerability-related.DiscoverVulnerability that it remains vulnerable Vulnerability-related.DiscoverVulnerability requiring no changes to our exploit . '' To its credit , McAfee acknowledged Vulnerability-related.DiscoverVulnerability the issue and said it is still working to fully resolve Vulnerability-related.PatchVulnerability the flaw . `` McAfee has been working with the researchers to confirm Vulnerability-related.DiscoverVulnerability their findings , and has provided customers mitigation guidance to allow them to protect themselves until the company can address Vulnerability-related.PatchVulnerability the reported issues via automatic product updates , '' McAfee told The Register . In the meantime , McAfee says customers can use the True Key browser extension ( which is not subject to the DLL vulnerability ) rather than the Windows application .

An unpatched vulnerability in the Magento e-commerce platform could allow hackers to upload and execute malicious code on web servers that host online shops . The flaw was discovered Vulnerability-related.DiscoverVulnerability by researchers from security consultancy DefenseCode and is located in Vulnerability-related.DiscoverVulnerability a feature that retrieves preview images for videos hosted on Vimeo . Such videos can be added to product listings in Magento . The DefenseCode researchers determined that if the image URL points to a different file , for example a PHP script , Magento will download the file in order to validate it . If the file is not an image , the platform will return a `` Disallowed file type '' error , but wo n't actually remove it from the server . An attacker with access to exploit this flaw could achieve remote code execution by first tricking Magento to download an .htaccess configuration file that enables PHP execution inside the download directory and then downloading the malicious PHP file itself . Once on the server , the PHP script can act as a backdoor and can be accessed from an external location by pointing the browser to it . For example , attackers could use it to browse the server directories and read the database password from Magento 's configuration file . This can expose customer information stored in the database , which in the case of online shops , can be very sensitive . The only limitation is that this vulnerability can not be exploited Vulnerability-related.DiscoverVulnerability directly because the video-linking functionality requires authentication . This means attackers need to have access to an account on the targeted website , but this can be a lower-privileged user and not necessarily an administrator . The authentication obstacle can also be easily overcome if the website does n't have the `` Add Secret Key to URLs '' option turned on . This option is intended to prevent cross-site request forgery ( CSRF ) attacks and is enabled by default . CSRF is an attack technique that involves forcing a user ’ s browser to perform an unauthorized request on a website when visiting a different one . `` The attack can be constructed as simple as < img src=… in an email or a public message board , which will automatically trigger the arbitrary file upload if a user is currently logged into Magento , '' the DefenseCode researchers said in an advisory . `` An attacker can also entice the user to open a CSRF link using social engineering . '' This means that by simply clicking on a link in an email or by visiting a specifically crafted web page , users who have active Magento sessions in their browser might have their accounts abused to compromise websites . The DefenseCode researchers claim Vulnerability-related.DiscoverVulnerability that they 've reported Vulnerability-related.DiscoverVulnerability these issues to the Magento developers back in November , but received no information regarding patching plans Vulnerability-related.PatchVulnerability since then . Several versions of the Magento Community Edition ( CE ) have been released since November , the most recent one being 2.1.6 on Tuesday . According to DefenseCode , all Magento CE versions continue to be vulnerable Vulnerability-related.DiscoverVulnerability , which is what prompted them to go public Vulnerability-related.DiscoverVulnerability about the flaw . “ We have been actively investigating Vulnerability-related.DiscoverVulnerability the root cause of the reported issue and are not aware of any attacks in the wild , ” Magento , the company that oversees development of the e-commerce platform , said in an emailed statement . “ We will be addressing Vulnerability-related.PatchVulnerability the issue in our next patch release and continue to consistently work to improve our assurance processes. ” `` All users are strongly advised to enforce the use of 'Add Secret Key to URLs ' which mitigates the CSRF attack vector , '' the DefenseCode researchers said . `` To prevent remote code execution through arbitrary file upload the server should be configured to disallow .htaccess files in affected directories . '' Magento is used by over 250,000 online retailers , making it an attractive target for hackers . Last year , researchers found thousands of Magento-based online shops that had been compromised Attack.Databreach and infected with malicious code that skimmed Attack.Databreach payment card details .

Security researchers from Neseso are sounding the alarm on a vulnerability they 've discovered Vulnerability-related.DiscoverVulnerability in Samsung smart TVs that Samsung declined to fix Vulnerability-related.PatchVulnerability . The security flaw affects Vulnerability-related.DiscoverVulnerability Wi-Fi Direct , a Wi-Fi standard that enables devices to connect with each other without requiring a wireless access point . Smasung uses Wi-Fi Direct with its smart TVs to allow TV owners to connect to the TV via their phones , laptops , or tablets , directly , and not through the local access point . Neseso researchers claim Vulnerability-related.DiscoverVulnerability that Samsung has failed Vulnerability-related.DiscoverVulnerability in the implementation of this standard , as Samsung TVs only use MAC addresses to authenticate users . Other vendors use more solid authentication systems based on a Push-Button or PIN . Because anyone can sniff and spoof MAC addresses , this vulnerability opens the user 's TV to getting hacked by anyone in the range of the TV 's Wi-Fi Direct coverage . `` Once connected , the attacker has access to all the services provided by the TV , such as remote control service or DNLA screen mirroring , '' Neseso researchers wrote in their report . The dangers are palpable for companies , as most have smart TVs in their offices , employee lounges , customer waiting rooms , or board rooms . Worse is that the Samsung smart TV Wi-Fi Direct feature is enabled by default every time the device boots up . Users are notified on screen when a whitelisted device connects to the TV via Wi-Fi Direct , but those warnings could be misinterpreted by TV owners , or missed altogether if nobody 's watching the TV . Contacted by Neseso in mid-March , Samsung answered it does n't view this feature as a security risk and declined to provide Vulnerability-related.PatchVulnerability a firmware update , telling Neseso they do n't view this issue as a `` security threat . '' Researchers tested their attack on Samsung UN32J5500 Firmware version 1480 , but say that other versions are most likely vulnerable Vulnerability-related.DiscoverVulnerability as well . There is currently no workaround for protecting against attacks via Wi-Fi Direct except turning off the feature every time you boot/reboot your device . Earlier this month , at the Security Analyst Summit 2017 , security expert Amihai Neiderman disclosed Vulnerability-related.DiscoverVulnerability about the presence of 40 zero-day vulnerabilities in Tizen , the operating system that runs on Samsung smart TVs . The flaws were all unpatched Vulnerability-related.PatchVulnerability at the time they were reported Vulnerability-related.DiscoverVulnerability .

Hundreds of thousands of internet gateway devices around the world , primarily residential cable modems , are vulnerable Vulnerability-related.DiscoverVulnerability to hacking because of a serious weakness in their Simple Network Management Protocol implementation . SNMP is used for automated network device identification , monitoring and remote configuration . It is supported and enabled by default in many devices , including servers , printers , networking hubs , switches and routers . Independent researchers Ezequiel Fernandez and Bertin Bervis recently found Vulnerability-related.DiscoverVulnerability a way to bypass SNMP authentication on 78 models of cable modems that ISPs from around the world have provided to their customers . Their internet scans revealed Vulnerability-related.DiscoverVulnerability hundreds of thousands of devices whose configurations could be changed remotely through the SNMP weakness that they found Vulnerability-related.DiscoverVulnerability and dubbed StringBleed . The leaking Attack.Databreach of sensitive configuration data through the default `` public '' SNMP community string is a known problem that has affected Vulnerability-related.DiscoverVulnerability many devices over the years . The two researchers first located Vulnerability-related.DiscoverVulnerability a small number of vulnerable devices , including the Cisco DPC3928SL cable modem that 's now part of Technicolor 's product portfolio following the company 's acquisition of Cisco 's Connected Devices division in 2015 . The researchers claim Vulnerability-related.DiscoverVulnerability that when they reported Vulnerability-related.DiscoverVulnerability the issue to Technicolor , the company told them that it was the result of an access misconfiguration by a single ISP in Mexico rather than a problem with the device itself . This prompted the researchers to perform a wider internet scan that resulted in the discovery Vulnerability-related.DiscoverVulnerability of 78 vulnerable cable modem models from 19 manufacturers , including Cisco , Technicolor , Motorola , D-Link and Thomson . Regardless of the cause , the problem is serious , as attackers could exploit this flaw to extract administrative and Wi-Fi passwords or to hijack devices by modifying their configurations . There 's not much that users can do if their ISP supplied them with a vulnerable device , other than ask for a different model or install their own modem . Unfortunately , not many ISPs allow their residential customers to use their own gateway devices , because they want uniformity and remote management capabilities on their networks . Determining if a particular device is vulnerable Vulnerability-related.DiscoverVulnerability to this issue is possible , but requires a bit of work . An online port scanner like ShieldsUp can be used to determine if the device responds to SNMP requests over its public IP address . If SNMP is open , a different online tool can be used to check if the device 's SNMP server returns valid responses when the `` public '' or random community strings are used . At the very least this would indicate an information leak problem .

Apple is reportedly aware Vulnerability-related.DiscoverVulnerability of and is in the middle of fixing Vulnerability-related.PatchVulnerability a pair of vulnerabilities that exist in iTunes and the App Store . If exploited Vulnerability-related.DiscoverVulnerability , researchers claim Vulnerability-related.DiscoverVulnerability an attacker could inject malicious script into the application side of the vulnerable module or function . Vulnerability Lab ’ s Benjamin Kunz Mejri disclosed Vulnerability-related.DiscoverVulnerability the vulnerabilities on Monday , explaining Vulnerability-related.DiscoverVulnerability the issues can be jointly exploited Vulnerability-related.DiscoverVulnerability via iTunes and the App Store ’ s iOS “ Notify ” function . Apple implemented the function in September , in the weeks leading up to the release of the game Super Mario Run . The function takes information from the device , such iCloud credentials or devicename values , to alert users when a soon-to-launch application debuts . Mejri , the firm ’ s founder , claims Vulnerability-related.DiscoverVulnerability the Notify functionality can be exploited Vulnerability-related.DiscoverVulnerability via a persistent input validation vulnerability and mail encoding web vulnerability . An attacker could substitute the name variable–the vulnerable firstname parameter–with a script launching a payload . Mejri said the issue stems from how Apple sends notifications from its @ new-itunes.com web server ; which doesn ’ t properly validate the iCloud name or devicename parameter . Instead of displaying introductory text , it can be rigged to execute malicious payloads . “ The vulnerability can be exploited Vulnerability-related.DiscoverVulnerability on restricted accessible iOS devices to the main account holder inbox , ” Mejri wrote in his disclosure Vulnerability-related.DiscoverVulnerability Monday , “ The issue could be used as well to continue to calendar spam activities ” . Mejri told Vulnerability-related.DiscoverVulnerability Threatpost Tuesday that while the issue isn ’ t highly exploitable , it “ definitely has a nice impact ” . Exploiting the persistent input validation flaw would be easier , because it only requires an Apple account and “ low or medium user interaction , ” according to the researcher . Ultimately , if stitched together , he warns Vulnerability-related.DiscoverVulnerability , the bugs could result in session hijacking , persistent phishing attacks , and persistent redirect to external sources . Mejri said Vulnerability-related.DiscoverVulnerability he contacted Vulnerability-related.DiscoverVulnerability Apple ’ s Product Security Team about the issues on Dec. 15 and acknowledged Vulnerability-related.DiscoverVulnerability that the vulnerability should be able to be resolved on the server-side without performing any required end-user interaction or updates . He said a temporary patch has been implemented Vulnerability-related.PatchVulnerability and believes a full fix is expected Vulnerability-related.PatchVulnerability later this month . It ’ s unclear exactly when this month Apple will push that fix Vulnerability-related.PatchVulnerability , however ; it last updated iTunes in December , fixing Vulnerability-related.PatchVulnerability 23 WebKit vulnerabilities in the software . Apple did not return multiple requests for comment regarding Vulnerability-related.DiscoverVulnerability the vulnerabilities on Monday and Tuesday . A month after first communicating the issues to Apple , Vulnerability Lab elected to publish a proof of concept around the issues to see if they had any legs . “ We decided to release the information until somebody uses the issue to exploit via iTunes , ” Kunz Mejri told Threatpost Tuesday . The vulnerability is similar to one disclosed Vulnerability-related.DiscoverVulnerability by Vulnerability Lab and patched Vulnerability-related.PatchVulnerability by Apple in iTunes and the App Store a year and a half ago . Before it was fixed Vulnerability-related.PatchVulnerability , like this week ’ s issue , an attacker could have remotely injected script into invoices , something that could have lead to hijacking , phishing , and redirect .