Bug bounty hacker earned $5,000 reporting a Stored XSS flaw in iCloud.com

A white hat hacker has earned a $5,000 reward from Apple for reporting a stored cross-site scripting (XSS) vulnerability on iCloud.com.

The bug bounty hunter Vishal Bharad has earned a $5,000 reward from Apple for reporting a stored cross-site scripting (XSS) vulnerability on iCloud.com.

Bharad was searching for cross-site request forgery (CSRF), insecure direct object reference (IDOR), and other vulnerabilities in the Apple icloud.com website, when he found a stored XSS vulnerability.

Once he has logged in to icloud.com, he inserted payloads everywhere and looked for the webpages where the payloads or strings were reflected in response.

The vulnerability discovered by the expert resides in the Pages and Keynote software hosted on iCloud. In order to exploit the issue, the expert created a new document or presentation and entered an XSS payload into its name field, then shared a link to it with the targeted user.

The attack could be completed by tricking the targeted user into accessing the “Browse All Versions” feature from the “Settings” menu. Upon clicking on the “Browse All Versions,” the malicious payload will be executed in the victim’s browser.

Below the step by step procedure to reproduce the bug:

Go to Page/Keynotes https://www.icloud.com/pages/ or https://www.icloud.com/keynotes
Create Pages or Keynote with the name XSS payload “><img src=x onerror=alert(0)>
Send this to the user or collaborate with any user.
Then go to the pages, make some changes and save
again, go to the pages and go to Settings >> Browser All Versions.
After click on Browse All Versions. XSS will trigger

Bharad also published a video PoC for exploitation of the Stored XSS flaw:

The experts reported the flaw to Apple on August 7th, 2020, and on October 9th, 2020 Apple rewarded him a $5,000 bounty.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, XSS)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.