CRMEB Improper Authentication Vulnerability in Apple Login Function

A vulnerability exists in CRMEB Mall System versions through 5.6.3, specifically in the appleLogin function of LoginController.php. The issue arises because the application fails to verify the authenticity of the Apple identity token, instead relying on the client-supplied openId without any validation. This flaw allows remote attackers to manipulate openId values, leading to unauthorized authentication. Exploitation of this vulnerability can result in the creation of fake user accounts or unauthorized access to existing accounts, bypassing Apple's authentication requirements.

Impact

Exploitation of this vulnerability allows for improper authentication, enabling attackers to create fake accounts or access existing ones using known Apple openIds. This access is granted through valid JWT tokens, providing full account privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to the Apple login endpoint with a forged openId. The server accepts this unverified openId, which can be used to create a new account or log in as an existing user.

Remediation

To address this vulnerability, it is recommended to implement proper verification of the Apple identity token. This includes checking the token's signature using Apple's public keys, validating the issuer and audience, ensuring the token is not expired, and extracting the verified openId. Additionally, the Apple login feature can be temporarily disabled or replaced with a different authentication method.