A cross-site scripting (XSS) vulnerability in the iCloud domain is said to have been fixed by Apple. Bug hunter and penetration tester Vishal Bharad claims to have discovered the security flaw, which is a XSS issue stored on icloud.com.
Stored XSS vulnerabilities, also known as "persistent XSS", can be used to store payloads on a targeted server, insert malicious scripts into websites, and possibly be used to steal cookies, session tokens and browser data.
According to Bharad, the XSS defect in icloud.com was detected in the Page / Keynotes functions of Apple's iCloud domain.
This content should then be saved and sent or shared with another user. Then one intruder should make one or two changes to malicious content, save it again and then visit “Settings” and “Browser All Versions”.
After clicking on this choice, XSS payload will be enabled, said the researcher.
Bharad also provided a Proof-of-Concept video (PoC) to present the vulnerability.
The investigator revealed the error to Apple on August 7, 2020. The report was accepted and Bharad received a financial reward of $ 5000 on October 9.
Bug bounty programs like the ones that are offered by HackerOne and Bugcrowd, remain very popular with outside researchers who want to report security issues in technology suppliers. For 2020 alone, Google gave bug hunters $ 6,7 million for their reports.
Source of information: zdnet.com