"It’s not Apple Pay itself, it's purely an exposure to websites that have added support for Apple Pay."Joshua Maddux, PKC SecurityYou set up Apple Pay functionality in your web service by integrating with the Apple Pay application programming interface—allowing Apple to power the module with its existing Apple Pay infrastructure. But Maddux noticed that the connection between a site and the Apple Pay infrastructure, and the validation mechanism meant to broker this connection, can be established in a number of different ways, all at the host site's discretion. An attacker could swap the URL a target site uses to talk to Apple Pay, for instance, with a malicious URL that can send queries or commands to the target site's infrastructure. From there, the attacker can use this position to potentially extract an authorization token or other privileged data, which in turn gives them access to the website's backend infrastructure.
The flaws fit into a well-known type of vulnerability called "server side request forgery," which allow attackers to bypass protections like firewalls to directly send commands to web applications. These vulnerabilities pose a real threat, and are regularly exploited in the wild. Most recently, they played a role in last month's massive Capital One breach . Similarly, flexibility in how a website integrates Apple Pay potentially exposes its own backend infrastructure to unauthorized access."It’s not Apple Pay itself, it's purely an exposure to websites that have added support for Apple Pay," Maddux says. "But on the other hand, users who use Apple Pay do trust those merchant sites with their data, so in that respect the connection is important."
If there’s anything that’s clear from Apple’s event Monday, it’s that the maker of premium tech products is trying to sell people on its vision for the future of services—a seemingly effortless lifestyle filled with always-accessible media, exclusive video games, and cash-back incentives from a literal titanium credit card.
Maddux first notified Apple about the issue in February and communicated with the company about his proposed mitigations in March—which included locking down the options for how websites can configure the integration so there aren't so many potential exposures. Maddux says that in his evaluations it seems that Google Pay, for example, has more specific directions and fewer options. Maddux has since noticed that Apple has revised its documentation for adding an Apple Pay button to make it less likely that sites will integrate it in this potentially vulnerable way. But there don't seem to be any structural changes. Apple did not return a request for comment from WIRED.
Maddux notes that server side request forgery vulnerabilities crop up in other integrations across the web as well, not just with the Apple Pay module. And it is currently possible to implement an Apple Pay button in a safer way if you know how to mitigate the potential weaknesses. But Maddux says there needs to be more awareness about the problem, because popular integrations like Apple Pay end up on countless sites across the web and create exposures even if a site's users don't directly interact with the module.