Researchers Hacked Apple Infrastructure Using SQL Injection

Researchers found several points of entry for potential attackers, one of which was Apple’s Book Travel portal, where they took advantage of a significant SQL injection vulnerability.

Experimenting with the Masa/Mura CMS revealed the attack surface, primarily the one available within Apple’s environment. 

The JSON API was the main focus because it provides access to certain functions available within Apple’s environment. A JSON API should be the source of any potentially susceptible sink researchers discover.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Identifying the Vulnerability Sink

In a blog post in ProjectDiscovery Cloud Platform, researchers explain how they focused SQL injection sink detection.

  • Parse each CFM/CFC file.
  • Go through each statement, select the statement if it’s a tag and its name is cfquery .
  • Strip all tags (like cfqueryparam) inside the code block of cfquery and if it still has arguments in the codeblock then the input is not parameterized and the query is susceptible to an SQL injection, given no other validation is in place.
  • Print this query.
getObjects was called within the dspObjects

A critical condition in the dspObjects function was found by researchers. An if condition needs to be met before invoking getObjects: the Mura servlet event handler’s isOnDisplay property needs to be set to true. 

At first, researchers thought that any property on the event handler could be set by just providing the property name and value as parameters. Their debugging session inside the codebase served as the foundation for this hypothesis.

The previewID property can be set to any value by supplying it as an argument, and this will cause the isOnDisplay property to be set to true.

“Since this was an error-based SQL injection, we could exploit it quite easily to achieve Remote Code Execution (RCE). Locally, we successfully performed RCE”, researchers said.

Researchers used these procedures to successfully conduct RCE:

  • Reset an Admin user’s password.
  • Obtain the reset token and user ID via SQL injection.
  • Use the password reset endpoint with exfiltrated info.
  • Utilize plugin installation to upload CFM files.

Disclosing the Findings

The researchers duly shared the findings with Apple and the corresponding Masa and Mura CMS teams.

Apple promptly addressed the stated issue by responding and implementing a fix within two hours of the initial report. 

Masa is an open-source fork of Mura CMS; they released a fixed version of Masa CMS with great transparency. 

The most recent security fixes, which address another critical pre-auth SQL injection and have been assigned CVE (CVE-2024-32640), are included in the 7.4.6, 7.3.13, and 7.2.8 versions.

After many attempts to contact the Mura team about these vulnerabilities via various communication methods, no response was received.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

20 hours ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

20 hours ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

20 hours ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

20 hours ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

24 hours ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

1 day ago