Stored XSS in icloud.com — $5000

Hello Guys hope you all are doing well, fine and healthy during this hard time.

Introduction :

Hello, I am Vishal Bharad, from India and working as Penetration Tester, Now today I am going to share how I found Stored Cross-Site Scripting (XSS) in icloud.com.

Initial Discovery & Exploitation :

First of all I am not the XSS guy :D

Finally I decided to hunt on Apple. As we all know that apple is having large scope so I blindly choose icloud.com and decided to find at least 1 bug on icloud.com.

I tried many vulnerabilities on icloud.com such as CSRF, IDOR, Business Logic Bugs etc. and got nothing. I keep tried to find bugs on icloud.com and after so many attempts I decided to find XSS on icloud.com. (As I am still not good at finding XSS :D)

So here I started the initial recon to find XSS. As we all know that we can try XSS where strings are reflected on webpage or in response.

So I have logged in with icloud.com and inserted payloads everywhere and looked for the webpages where my payloads or strings over getting reflected in response. After so many attempts I got one endpoint where my payload was fired and It was my “Pursuit of Happiness”

Image for post
Image for post
XSS fired in Settings >> Browser All Versions.

Below is the step of reproduction where I was able to find stored XSS in icloud.com and got $5000

Steps to Reproduce:

  1. Go to Page/Keynotes https://www.icloud.com/pages/ or https://www.icloud.com/keynotes
  2. Create Pages or Keynote with the name XSS payload “><img src=x onerror=alert(0)>
  3. Send this to the user or collaborate with any user.
  4. Then go to the pages, make some changes and save
  5. again, go to the pages and go to Settings >> Browser All Versions.
  6. After click on Browse All Versions. XSS will trigger

Now I got the XSS. So I decided to make full video that how attacker can able to triggers XSS on victim’s account.

Video is Attached to Demonstrate this Vulnerability.

Please watch full video in which I have demonstrate how 1st user can able to trigger XSS on 2nd user’s account.

Thank You for your time to read this article

Disclosure :

  1. I reported to Apple on 7th August 2020
  2. They reviewed the report, steps to reproduce, and POC(Video).
  3. Rewarded $5000 Bounty on 9th Oct 2020

Thanks

Looking forward to share more blogs

Best Regards

Vishal Bharad

Linkedin Profile : https://www.linkedin.com/in/vishal-bharad-b476b388/

Penetration Tester, Bug Bounty Hunter, Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store