Researcher Reports Vulnerability in Apple iCloud Domain

A stored cross-site scripting vulnerability in the iCloud website reportedly earned a security researcher $5,000.



Apple has reportedly fixed a stored cross-site scripting (XSS) vulnerability in the iCloud domain following its discovery by security researcher Vishal Bharad, ZDNet reports.

Related Content:

Attackers Already Targeting Apple's M1 Chip with Custom Malware

Special Report: Understanding Your Cyber Attackers

New From The Edge: Breach Etiquette: How to Mind Your Manners When It Matters

Stored XSS, also known as persistent XSS, vulnerabilities occur when an attacker finds a flaw in a Web application and injects malicious code into its server. Bharad reportedly found this bug in the Page/Keynotes feature of the iCloud website.

To exploit this vulnerability, an attacker would have to create new content in either Pages or Keynote and enter their XSS payload into the name field. They would have to save this and send it to, or collaborate with, another user. The attacker would then need to make some changes to the content, resave it, and then go to Settings > Browse All Versions.

The XSS would trigger after "Browse All Versions" was clicked, Bharad explains in a blog post.

Bharad reported the vulnerability to Apple on Aug. 7, 2020, and was rewarded $5,000 for his findings. 

Read Bharad's full blog post here and more details here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
 

Recommended Reading:

Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2021 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service