Researchers Hacked into Apple Infrastructure Using SQL Injection

Researchers found several points of entry for potential attackers, one of which was Apple’s Book Travel portal, where they took advantage of a significant SQL injection vulnerability.

Experimenting with the Masa/Mura CMS revealed the attack surface, primarily the one available within Apple’s environment. 

The JSON API was the main focus because it provides access to certain functions available within Apple’s environment. A JSON API should be the source of any potentially susceptible sink researchers discover.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Identifying the Vulnerability Sink

In a blog post in ProjectDiscovery Cloud Platform, researchers explain how they focused SQL injection sink detection.

• Parse each CFM/CFC file.
• Go through each statement, select the statement if it’s a tag and its name is cfquery .
• Strip all tags (like cfqueryparam) inside the code block of cfquery and ...