Bug bounty hunter and penetration tester Vishal Bharad have discovered a stored cross-site scripting (XSS) vulnerability in the iCloud domain which was patched by Apple.
The security flaw is a stored XSS issue in icloud.com. Stored XSS vulnerabilities, also known as persistent XSS, can be used to store payloads on a target server, inject malicious scripts into websites, and potentially be used to steal cookies, session tokens, and browser data.
Bharad stated that the XSS flaw in icloud.com was found in the Page/Keynotes features of Apple’s iCloud domain.
To trigger the bug, an attacker has to create new Pages or Keynote content with an XSS payload submitted into the name field.
This content has to be then saved and sent or shared with another user. An attacker has to then make a change or two to the malicious content, save it again, and then visit “Settings” and “Browser All Versions.” The XSS payload would trigger after clicking on this option.
The bug bounty hunter also provided a Proof-of-Concept (PoC) video to demonstrate the vulnerability.
The bug was disclosed to Apple on August 7, 2020. The report was accepted and Bharad received a reward of $5000 for his efforts.