Bug bounty hacker earned $5,000 reporting a Stored XSS flaw in iCloud.com

A white hat hacker has earned a $5,000 reward from Apple for reporting a stored cross-site scripting (XSS) vulnerability on iCloud.com.

The bug bounty hunter Vishal Bharad has earned a $5,000 reward from Apple for reporting a stored cross-site scripting (XSS) vulnerability on iCloud.com.

Bharad was searching for cross-site request forgery (CSRF), insecure direct object reference (IDOR), and other vulnerabilities in the Apple icloud.com website, when he found a stored XSS vulnerability.

Once he has logged in to icloud.com, he inserted payloads everywhere and looked for the webpages where the payloads or strings were reflected in response.

The vulnerability discovered by the expert resides in the Pages and Keynote software hosted on iCloud. In order to exploit the issue, the expert created a new document or presentation and entered an XSS payload into its name field, then shared a link to it with the targeted user.

The attack could be completed by tricking the targeted user into accessing the “Browse All Versions” feature from the “Settings” menu. Upon clicking on the “Browse All Versions,” the malicious payload will be executed in the victim’s browser.

Below the step by step procedure to reproduce the bug:

1. Go to Page/Keynotes https://www.icloud.com/pages/ or https://www.icloud.com/keynotes
2. Create Pages or Keynote with the name XSS payload “><img src=x onerror=alert(0)>
3. Send this to the user or collaborate with any user.
4. Then go to the pages, make some changes and save
5. again, go to the pages and go to Settings >> Browser All Versions.
6. After click on Browse All Versions. XSS will trigger

Bharad also published a video PoC for exploitation of the Stored XSS flaw:

The experts reported the flaw to Apple on August 7th, 2020, and on October 9th, 2020 Apple rewarded him a $5,000 bounty.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, XSS)

[adrotate banner=”5″]

[adrotate banner=”13″]