Apple Reportedly Patches XSS Vulnerability on iCloud's Website

[MacRumors]

In a blog post shared by ZDNet, security researcher Vishal Bharad claims that he found a bug that would have allowed a hacker to inject a virus or malicious script onto Apple's ‌iCloud‌ website.

According to Bharad, the vulnerability consisted of creating a Pages or Keynote document on the iCloud website with the name field containing the XSS payload. Sharing the document with another user, creating a change, saving, and then clicking "Browse All Versions" under Settings would have triggered the XSS payload.

Given the vulnerability revolved around the iCloud website, it's not linked to a recent software update and has reportedly been patched by Apple server-side. Bharad says he submitted the issue to Apple on August 7, 2020, and received a $5,000 bounty on October 9, 2020. We've reached out to Apple for comment and we'll update if we hear back.

Article Link: Apple Reportedly Patches XSS Vulnerability on iCloud's Website

 

[Razorpit]

Good thing no one ever shares a Pages or Keynote document on iCloud. Could have been catastrophic! 😉

 

[sdz]

Good thing no one ever shares a Pages or Keynote document on iCloud. Could have been catastrophic! 😉

Fantastically analyzed.

 

[wfulle]

Good thing no one ever shares a Pages or Keynote document on iCloud. Could have been catastrophic! 😉

Maybe it would of been fixed faster if Apple made pages a real competitor to Docs and Word

 

[Razorpit]

Maybe it would of been fixed faster if Apple made pages a real competitor to Docs and Word

I joke about their usage in the real world, but I use Pages and Numbers regularly. It just feels like I'm the only one.

 

[wfulle]

I joke about their usage in the real world, but I use Pages and Numbers regularly. It just feels like I'm the only one.

I might actually try them again because I really do like the simplicity and maybe its gotten better.

 

[locovaca]

I joke about their usage in the real world, but I use Pages and Numbers regularly. It just feels like I'm the only one.

I use them exclusively. They work fine for local content creation and I just export to doc/excel when I need to share.

 

[8281]

Maybe Apple could also update iCloud.com so it doesn’t look stuck in 2010.

 

[jonnysods]

Man only $5k for that exploit?

 

[1258186]

If Apple want to generate more revenue from subscriptions I would happily pay for a pro version of iWork to replace my Office 365 subscription. Keep the existing free version for basic users.

 

[1258186]

Thank heavens for honest hackers who are happy with bounty rewards rather than exploiting their find for criminal gains.

 

[LawJolla]

Man only $5k for that exploit?

Agreed, that's peanuts. XSS is a *huge* vulnerability. It allows malicious code to run as trusted first party, complete with keylogging (on that injected page) and token stealing.

 

[sdz]

I joke about their usage in the real world, but I use Pages and Numbers regularly. It just feels like I'm the only one.

I use it mainly and I dread using MS Office.
Apple of the past had a very nice office suite (ClarisWorks)

 

[sdz]

Agreed, that's peanuts. XSS is a *huge* vulnerability. It allows malicious code to run as trusted first party, complete with keylogging (on that injected page) and token stealing.

First, the attacker must succeed to deploy his javascript on my browser

 

[sdz]

I joke about their usage in the real world, but I use Pages and Numbers regularly. It just feels like I'm the only one.

Trillion $ company Apple uses it sometimes for their white paper documents.

 

[Razorpit]

Trillion $ company Apple uses it sometimes for their white paper documents.

That's good, but they aren't sharing anything with me and I'm not with them. 😁

 

[LawJolla]

First, the attacker must succeed to deploy his javascript on my browser

Keen grasp of the obvious. 👍

 

[neliason]

I forgot Apple even had a web based interface for Pages etc. I wonder how many people use it? How much does Apple spend maintaining this?

I actually love Pages and Numbers, but I only use them via the apps.