The bug bounty hunter Vishal Bharad has earned a $5,000 reward from Apple for reporting a stored cross-site scripting (XSS) vulnerability on iCloud.com.
Bharad was searching for cross-site request forgery (CSRF), insecure direct object reference (IDOR), and other vulnerabilities in the Apple icloud.com website, when he found a stored XSS vulnerability.
Once he has logged in to icloud.com, he inserted payloads everywhere and looked for the webpages where the payloads or strings were reflected in response.
The vulnerability discovered by the expert resides in the Pages and Keynote software hosted on iCloud. In order to exploit the issue, the expert created a new document or presentation and entered an XSS payload into its name field, then shared a link to it with the targeted user.
The attack could be completed by tricking the targeted user into accessing the “Browse All Versions” feature from the “Settings” menu. Upon clicking on the “Browse All Versions,” the malicious payload will be executed in the victim’s browser.
Below the step by step procedure to reproduce the bug:
Bharad also published a video PoC for exploitation of the Stored XSS flaw:
The experts reported the flaw to Apple on August 7th, 2020, and on October 9th, 2020 Apple rewarded him a $5,000 bounty.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, XSS)
[adrotate banner=”5″]
[adrotate banner=”13″]
U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.…
The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer…
Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics…
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
This website uses cookies.