Feb 14, 2021
Stored XSS in icloud.com — $5000
Hello Guys hope you all are doing well, fine and healthy during this hard time.
Introduction :
Hello, I am Vishal Bharad, from India and working as Penetration Tester, Now today I am going to share how I found Stored Cross-Site Scripting (XSS) in icloud.com.
Initial Discovery & Exploitation :
First of all I am not the XSS guy :D
Finally I decided to hunt on Apple. As we all know that apple is having large scope so I blindly choose icloud.com and decided to find at least 1 bug on icloud.com.
I tried many vulnerabilities on icloud.com such as CSRF, IDOR, Business Logic Bugs etc. and got nothing. I keep tried to find bugs on icloud.com and after so many attempts I decided to find XSS on icloud.com. (As I am still not good at finding XSS :D)
So here I started the initial recon to find XSS. As we all know that we can try XSS where strings are reflected on webpage or in response.
So I have logged in with icloud.com and inserted payloads everywhere and looked for the webpages where my payloads or strings over getting reflected in response. After so many attempts I got one endpoint where my payload was fired and It was my “Pursuit of Happiness”
Below is the step of reproduction where I was able to find stored XSS in icloud.com and got $5000
Steps to Reproduce:
- Go to Page/Keynotes https://www.icloud.com/pages/ or https://www.icloud.com/keynotes
- Create Pages or Keynote with the name XSS payload “><img src=x onerror=alert(0)>
- Send this to the user or collaborate with any user.
- Then go to the pages, make some changes and save
- again, go to the pages and go to Settings >> Browser All Versions.
- After click on Browse All Versions. XSS will trigger
Now I got the XSS. So I decided to make full video that how attacker can able to triggers XSS on victim’s account.
Video is Attached to Demonstrate this Vulnerability.
Please watch full video in which I have demonstrate how 1st user can able to trigger XSS on 2nd user’s account.
Thank You for your time to read this article
Disclosure :
- I reported to Apple on 7th August 2020
- They reviewed the report, steps to reproduce, and POC(Video).
- Rewarded $5000 Bounty on 9th Oct 2020
Thanks
Looking forward to share more blogs
Best Regards
Vishal Bharad
Linkedin Profile : https://www.linkedin.com/in/vishal-bharad-b476b388/
