Bug bounty hunter and penetration tester Vishal Bharad claims to have discovered the security flaw, which is a stored XSS issue in icloud.com.
Stored XSS vulnerabilities, also known as persistent XSS, can be used to store payloads on a target server, inject malicious scripts into websites, and potentially be used to steal cookies, session tokens, and browser data.
According to Bharad, the XSS flaw in icloud.com was found in the Page/Keynotes features of Apple's iCloud domain.
In order to trigger the bug, an attacker needed to create new Pages or Keynote content with an XSS payload submitted into the name field.
This content would then need to be saved and either sent or shared with another user. An attacker would then be required to make a change or two to the malicious content, save it again, and then visit "Settings" and "Browser All Versions."
After clicking on this option, the XSS payload would trigger, the researcher said.
Bharad also provided a Proof-of-Concept (PoC) video to demonstrate the vulnerability.
The researcher disclosed the bug to Apple on August 7, 2020. The report was accepted and Bharad received a $5000 financial reward for his efforts on October 9.
Bug bounty programs, such as those offered by HackerOne and Bugcrowd, remain a popular method for external researchers to report security issues to technology vendors. In 2020 alone, Google paid bug bounty hunters $6.7 million for their reports.
ZDNet has reached out to Apple for comment and will update when we hear back.