Stored XSS in icloud.com — $5000

XSS fired in Settings >> Browser All Versions.
  1. Go to Page/Keynotes https://www.icloud.com/pages/ or https://www.icloud.com/keynotes
  2. Create Pages or Keynote with the name XSS payload “><img src=x onerror=alert(0)>
  3. Send this to the user or collaborate with any user.
  4. Then go to the pages, make some changes and save
  5. again, go to the pages and go to Settings >> Browser All Versions.
  6. After click on Browse All Versions. XSS will trigger
  1. I reported to Apple on 7th August 2020
  2. They reviewed the report, steps to reproduce, and POC(Video).
  3. Rewarded $5000 Bounty on 9th Oct 2020

Penetration Tester, Bug Bounty Hunter, Security Researcher

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Danger Boat Hack Free Resources Generator

2020 Hostile Event Preparedness Workshops — What Did We Learn?

ETH Feature Updates

<div class=”separator” style=”clear: both;”><a href=”https://1.bp.blogspot.com/-QbSKZfYnjtA/YSpYYrbq

How to create and grab RedPackets from CPChain Encrypted Group?

Most Crypto Customers Consider Cryptocurrency Funds Will Turn out to be a Commonplace, Paysafe…

The Obligatory Post on Data Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vishal Bharad

Vishal Bharad

Penetration Tester, Bug Bounty Hunter, Security Researcher

More from Medium

My experience of Hacking The Dutch Government

First Valid BUG Finding At Microsoft And I Got the Acknowledgments Page Microsoft

Internet-Wide Study: State Of SPF, DKIM, And DMARC — RedHunt Labs

Parameter Pollution - Zero Day