Tuesday, February 23, 13:31
Home security XSS error detected in the Apple iCloud domain

XSS error detected in the Apple iCloud domain

A cross-site scripting (XSS) vulnerability in the iCloud domain is said to have been fixed by Apple. Bug hunter and penetration tester Vishal Bharad claims to have discovered the security flaw, which is a XSS issue stored on icloud.com.

Stored XSS vulnerabilities, also known as "persistent XSS", can be used to store payloads on a targeted server, insert malicious scripts into websites, and possibly be used to steal cookies, session tokens and browser data.

According to Bharad, the XSS defect in icloud.com was detected in the Page / Keynotes functions of Apple's iCloud domain.

apple iCloud

To activate the error, an attacker needed to create new Pages or Keynote content with an XSS payload submitted in the name field.

This content should then be saved and sent or shared with another user. Then one intruder should make one or two changes to malicious content, save it again and then visit “Settings” and “Browser All Versions”.

After clicking on this choice, XSS payload will be enabled, said the researcher.

Bharad also provided a Proof-of-Concept video (PoC) to present the vulnerability.

The investigator revealed the error to Apple on August 7, 2020. The report was accepted and Bharad received a financial reward of $ 5000 on October 9.

Bug bounty programs like the ones that are offered by HackerOne and Bugcrowd, remain very popular with outside researchers who want to report security issues in technology suppliers. For 2020 alone, Google gave bug hunters $ 6,7 million for their reports.

Source of information: zdnet.com

LEAVE ANSWER

Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehchttps://www.secnews.gr
Be the limited edition.

LIVE NEWS

XSS error detected in the Apple iCloud domain

A cross-site scripting (XSS) vulnerability in the iCloud domain is said to have been fixed by Apple. The error hunter and penetration tester Vishal ...

Share-ents: How dangerous it is to post photos of children

According to security expert Ritesh Kotak, parents tend to post about 1.500 photos of their children on social media before ...

Python is under pressure to release updates to address an RCE vulnerability

Python Software Foundation (PSF) has released Python versions 3.9.2 and 3.8.8 to address two major security glitches, including an error ...
00:03:59

7 dangers of dual booting Windows and Linux

https://www.youtube.com/watch?v=ZUvqVlF4x5E Εάν σκέφτεστε να εγκαταστήσετε ένα δεύτερο λειτουργικό σύστημα στον υπολογιστή σας, καλό είναι να λάβετε υπόψη...

A UK court has rejected Epic Games' lawsuit against Apple

The Competition Appeal Tribunal of the United Kingdom rejected the lawsuit of Epic Games against Apple, with which the ...

Powerhouse VPN products are used in DDoS attacks

Some botnet operators abuse VPN servers by the VPN Powerhouse Management provider as a way to bounce and boost unwanted traffic ...

Social media users are more prone to misinformation

According to a survey, users who choose social media as a key source of information on important issues, such as Covid-19 or ...

Austin Energy - Texas: Scammers threaten customers with power outages!

Austin Energy, a public utility that supplies electricity to the city of Austin, Texas and surrounding areas, issued on ...

Apple: Displaces Samsung and becomes the number 1 smartphone seller

According to the company Gartner, Apple is coming back to the top and becomes the number 1 smartphone seller (taking the position from ...

NurseryCam: Webcam monitoring system for kindergarten children exposed to hackers

NurseryCam, a company providing webcam systems, which allow parents to watch their children while in kindergarten, informed ...