CVE-2013-5193

Vulnerability

In Apple iOS prior to version 7.0.4, the App Store component fails to properly enforce a password requirement at transaction time. When a user has previously entered their Apple ID credentials, subsequent App purchases or In-App purchases on the same device can be completed without re‑entering the password. Affected versions are iOS 7.x before 7.0.4; the issue was addressed in iOS 7.0.4 [1].

Exploitation

An attacker with physical access to an unlocked iOS device (or a user who has already signed into the App Store) can start a purchase in the App Store. Because the previous authentication token is reused, the purchase proceeds without a password prompt. No additional network access or special privileges are needed beyond local device access [1].

Impact

A local user can complete unauthorized App or In‑App purchases, effectively spending the account owner’s funds. While the attacker does not gain credentials or system-level control, the financial impact and breach of purchase authorization constitute a significant integrity violation of the transaction process [1].

Mitigation

Apple released iOS 7.0.4 on 14 November 2013, which enforces the password requirement at purchase time. Users should update all compatible devices (iPhone 4 and later, iPod touch 5th generation and later, iPad 2 and later) to iOS 7.0.4 or newer. No workaround is documented for unpatched devices [1].