Discovery of XSS vulnerability on iCloud website brought expert $5,000

Vishal Bharad, an Indian bug hunter and pentester, explained in a blog post, how he discovered an XSS vulnerability on iCloud.com.

Initially, the researcher searched the site for vulnerabilities related to CSRF (Cross-Site Request Forgery), IDOR (Insecure Direct Object Reference), logical errors, and so on, but by accident discovered XSS vulnerability.

I decided to hunt on Apple. As we all know, Apple is having large scope so I blindly choose icloud.com and decided to find at least 1 bug on icloud.com. I tried many vulnerabilities on icloud.com such as CSRF, IDOR, Business Logic Bugs etc. and got nothing. I keep tried to find bugs on icloud.com and after so many attempts I decided to find XSS on icloud.com.Vishal Bharad says.

The vulnerability was present in Apple Pages and Keynote hosted on iCloud. Exploiting the bug meant creating a new document or presentation and injecting an XSS payload into the name field.

So here I started the initial recon to find XSS. As we all know that we can try XSS where strings are reflected on webpage or in response. So I have logged in with icloud.com and inserted payloads everywhere and looked for the webpages where my payloads or strings over getting reflected in response. After so many attempts I got one endpoint where my payload was fired and It was my “Pursuit of Happiness.researcher shares information about the discovery.

Basically, in order to exploit the problem, the attacker had to share a link to a malicious document or presentation with his victim, and then convince her to enter the settings and use the Browse All Versions function. As soon as the victim clicked on Browse All Versions, the attacker’s malicious payload was launched in the browser. An example of such an attack can be seen below.

Bharad says that he discovered the problem back in August 2020 and he immediately reported about it to Apple. The vulnerability was fixed only in the fall, and in October 2020, company paid a reward of $5,000 to an expert for discovering this bug.

Let me remind you that in 2020, Google paid cybersecurity experts $6.7 million, and I also wrote that Researcher Earned More than $2,000,000 on HackerOne.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *