Apple Patched A Stored XSS Vulnerability In iCloud Domain

ICloud Hack Scam

A serious stored XSS vulnerability existed in the Apple iCloud domain that caught the attention of a bug bounty hunter. Following the report, Apple patched the flaw before it could go under active exploitation.

Apple iCloud XSS Vulnerability

A security researcher, Vishal Bhardwaj, has recently shared details of his findings regarding a flaw affecting the iCloud platform.

Specifically, he discovered a stored XSS (cross-site scripting) vulnerability in an Apple iCloud domain. The bug resided in the Page/Keynotes feature of the domain.

Stored or Persistent XSS vulnerabilities let the payload persistently exist on the target page. These flaws are sneaky letting the malware to run on infected pages without being detected.

As elaborated in his blog post, to exploit the bug, an attacker simply had to create a malicious payload and send it to any user. Once shared, the attacker would have to make some changes on the target page, save, revisit the affected page and then go to the “Settings” menu through the same page. Then, clicking on the “All Browser Versions” would trigger the flaw on the target users’ account.

The following video demonstrates the PoC of the exploit.

Apple Patched The Flaw

The researcher found this vulnerability last year as he strived to find a security bug in iCloud. After numerous failed attempts in finding CSRF, IDOR, and Business Logic vulnerabilities, he finally discovered this stored XSS.

After this discovery, he eventually reported it to Apple in August 2020.

Following his report, Apple eventually addressed the bug within a couple of months. As assumed, the bug didn’t go under active exploitation before the fix.

Also, Apple awarded a $5000 bounty to Bhardwaj for discovering the vulnerability.

While Apple had already patched this vulnerability last year, the researcher has disclosed the bug details only recently.

As for the existing situation, iCloud users don’t need to worry since the flaw no more exists.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients