Apple is reportedly aware Vulnerability-related.DiscoverVulnerability of and is in the middle of fixing Vulnerability-related.PatchVulnerability a pair of vulnerabilities that exist in iTunes and the App Store . If exploited Vulnerability-related.DiscoverVulnerability , researchers claim Vulnerability-related.DiscoverVulnerability an attacker could inject malicious script into the application side of the vulnerable module or function . Vulnerability Lab ’ s Benjamin Kunz Mejri disclosed Vulnerability-related.DiscoverVulnerability the vulnerabilities on Monday , explaining Vulnerability-related.DiscoverVulnerability the issues can be jointly exploited Vulnerability-related.DiscoverVulnerability via iTunes and the App Store ’ s iOS “ Notify ” function . Apple implemented the function in September , in the weeks leading up to the release of the game Super Mario Run . The function takes information from the device , such iCloud credentials or devicename values , to alert users when a soon-to-launch application debuts . Mejri , the firm ’ s founder , claims Vulnerability-related.DiscoverVulnerability the Notify functionality can be exploited Vulnerability-related.DiscoverVulnerability via a persistent input validation vulnerability and mail encoding web vulnerability . An attacker could substitute the name variable–the vulnerable firstname parameter–with a script launching a payload . Mejri said the issue stems from how Apple sends notifications from its @ new-itunes.com web server ; which doesn ’ t properly validate the iCloud name or devicename parameter . Instead of displaying introductory text , it can be rigged to execute malicious payloads . “ The vulnerability can be exploited Vulnerability-related.DiscoverVulnerability on restricted accessible iOS devices to the main account holder inbox , ” Mejri wrote in his disclosure Vulnerability-related.DiscoverVulnerability Monday , “ The issue could be used as well to continue to calendar spam activities ” . Mejri told Vulnerability-related.DiscoverVulnerability Threatpost Tuesday that while the issue isn ’ t highly exploitable , it “ definitely has a nice impact ” . Exploiting the persistent input validation flaw would be easier , because it only requires an Apple account and “ low or medium user interaction , ” according to the researcher . Ultimately , if stitched together , he warns Vulnerability-related.DiscoverVulnerability , the bugs could result in session hijacking , persistent phishing attacks , and persistent redirect to external sources . Mejri said Vulnerability-related.DiscoverVulnerability he contacted Vulnerability-related.DiscoverVulnerability Apple ’ s Product Security Team about the issues on Dec. 15 and acknowledged Vulnerability-related.DiscoverVulnerability that the vulnerability should be able to be resolved on the server-side without performing any required end-user interaction or updates . He said a temporary patch has been implemented Vulnerability-related.PatchVulnerability and believes a full fix is expected Vulnerability-related.PatchVulnerability later this month . It ’ s unclear exactly when this month Apple will push that fix Vulnerability-related.PatchVulnerability , however ; it last updated iTunes in December , fixing Vulnerability-related.PatchVulnerability 23 WebKit vulnerabilities in the software . Apple did not return multiple requests for comment regarding Vulnerability-related.DiscoverVulnerability the vulnerabilities on Monday and Tuesday . A month after first communicating the issues to Apple , Vulnerability Lab elected to publish a proof of concept around the issues to see if they had any legs . “ We decided to release the information until somebody uses the issue to exploit via iTunes , ” Kunz Mejri told Threatpost Tuesday . The vulnerability is similar to one disclosed Vulnerability-related.DiscoverVulnerability by Vulnerability Lab and patched Vulnerability-related.PatchVulnerability by Apple in iTunes and the App Store a year and a half ago . Before it was fixed Vulnerability-related.PatchVulnerability , like this week ’ s issue , an attacker could have remotely injected script into invoices , something that could have lead to hijacking , phishing , and redirect .