CRMEB Mall System Apple Login Bypass: Unverified JWT Signature Leads to Account Takeover

Vulnerability Key Information 1. Vulnerability Overview Project: CRMEB Mall System Vendor: CRMEB (https://www.crmeb.com) Project Repository: https://github.com/crmeb/CRMEB.git Affected File: Affected Versions: v5.6.3 and earlier (<= v5.6.3) Vulnerability Type: CWE-287 (Improper Authentication) CVSS v3.1 Score: 9.8 (Critical) 2. Vulnerability Description Issue: The Apple login endpoint does not validate the signature of the Apple identity token (JWT) and blindly trusts the parameter sent by the client. Impact: Allows attackers to forge any value, creating unlimited fake accounts or logging into any existing user’s account (if their Apple is known). 3. Vulnerability Analysis File: , Lines: 464-502 Summary: - Line 467: Directly accepts the parameter from the POST request without validation. - Line 486: Uses the unvalidated to generate an email (predictable: ). - Line 488: Constructs user information using the unvalidated . - Line 493: Calls to create/update user using the unvalidated , without any validation. - Line 495: Returns a successful response with full access privileges. 4. Vulnerability Details Expected Behavior: The client should send an , and the server should: - Validate the JWT signature using Apple’s public key. - Verify the issuer is . - Verify the audience matches the app’s bundle ID. - Verify the token is not expired. - Extract the validated from the claim. Actual Behavior: The client directly sends (can be any string), and the server fully trusts it without any cryptographic validation. 5. Proof of Concept (POC) POC 1: Arbitrary account creation. POC 2: Bulk account registration. Demonstrates the ability to create unlimited accounts via automated registration. 6. Impact Unlimited Account Creation: Attackers can create unlimited fake accounts. Account Takeover: If the Apple is known, attackers can log in as that user. Privilege Escalation: Full user privileges, including access to orders, payments, and personal data. Business Logic Abuse: Exploitation of new user rewards, referral bonuses, coupons, etc. No Authentication Bypass: Completely bypasses Apple’s authentication mechanism. 7. Database Evidence is an empty string (system accepts any value). first 12 characters are predictable. User successfully created using a valid JWT token. 8. Affected Files - Route definition (line 31). - Vulnerable controller (lines 464-502). - Service layer (lines 238-291). - User creation logic (lines 276-384). - User data persistence (lines 124-178). - Token generation (lines 93-121). 9. Remediation Immediate Mitigation: - Disable Apple login. - Enforce mobile phone binding. Permanent Fix: - Implement proper Apple identity token validation.

Goal Reached Thanks to every supporter — we hit 100%!

CRMEB Mall System Apple Login Bypass: Unverified JWT Signature Leads to Account Takeover

More from this source