HomesecurityXSS error detected in the Apple iCloud domain

XSS error detected in the Apple iCloud domain

A cross-site scripting (XSS) vulnerability in the iCloud domain is said to have been fixed by Apple. Bug hunter and penetration tester Vishal Bharad claims to have discovered the security flaw, which is a XSS issue stored on

Stored XSS vulnerabilities, also known as "persistent XSS", can be used to store payloads on a targeted server, insert malicious scripts into websites, and possibly be used to steal cookies, session tokens and browser data.

According to Bharad, the XSS defect in was detected in the Page / Keynotes functions of Apple's iCloud domain.

apple iCloud

To activate the error, an attacker needed to create new Pages or Keynote content with an XSS payload submitted in the name field.

This content should then be saved and sent or shared with another user. Then one intruder should make one or two changes to malicious content, save it again and then visit “Settings” and “Browser All Versions”.

After clicking on this choice, XSS payload will be enabled, said the researcher.

Bharad also provided a Proof-of-Concept video (PoC) to present the vulnerability.

The investigator revealed the error to Apple on August 7, 2020. The report was accepted and Bharad received a financial reward of $ 5000 on October 9.

Bug bounty programs like the ones that are offered by HackerOne and Bugcrowd, remain very popular with outside researchers who want to report security issues in technology suppliers. For 2020 alone, Google gave bug hunters $ 6,7 million for their reports.

Source of information:


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.