The bug bounty hunter Vishal Bharad has earned a $5,000 reward from Apple for reporting a stored cross-site scripting (XSS) vulnerability on iCloud.com.
Bharad was searching for cross-site request forgery (CSRF), insecure direct object reference (IDOR), and other vulnerabilities in the Apple icloud.com website, when he found a stored XSS vulnerability.
Once he has logged in to icloud.com, he inserted payloads everywhere and looked for the webpages where the payloads or strings were reflected in response.
The vulnerability discovered by the expert resides in the Pages and Keynote software hosted on iCloud. In order to exploit the issue, the expert created a new document or presentation and entered an XSS payload into its name field, then shared a link to it with the targeted user.
The attack could be completed by tricking the targeted user into accessing the “Browse All Versions” feature from the “Settings” menu. Upon clicking on the “Browse All Versions,” the malicious payload will be executed in the victim’s browser.
Below the step by step procedure to reproduce the bug:
Bharad also published a video PoC for exploitation of the Stored XSS flaw:
The experts reported the flaw to Apple on August 7th, 2020, and on October 9th, 2020 Apple rewarded him a $5,000 bounty.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, XSS)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.