Researcher Reports Vulnerability in Apple iCloud Domain
A stored cross-site scripting vulnerability in the iCloud website reportedly earned a security researcher $5,000.
Apple has reportedly fixed a stored cross-site scripting (XSS) vulnerability in the iCloud domain following its discovery by security researcher Vishal Bharad, ZDNet reports.
Stored XSS, also known as persistent XSS, vulnerabilities occur when an attacker finds a flaw in a Web application and injects malicious code into its server. Bharad reportedly found this bug in the Page/Keynotes feature of the iCloud website.
To exploit this vulnerability, an attacker would have to create new content in either Pages or Keynote and enter their XSS payload into the name field. They would have to save this and send it to, or collaborate with, another user. The attacker would then need to make some changes to the content, resave it, and then go to Settings > Browse All Versions.
The XSS would trigger after "Browse All Versions" was clicked, Bharad explains in a blog post.
Bharad reported the vulnerability to Apple on Aug. 7, 2020, and was rewarded $5,000 for his findings.
About the Author(s)
You May Also Like
Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024