Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
56,623
19,371


In a blog post shared by ZDNet, security researcher Vishal Bharad claims that he found a bug that would have allowed a hacker to inject a virus or malicious script onto Apple's ‌iCloud‌ website.

24330f3b719ded3a3092a6ff695d8a34.png


According to Bharad, the vulnerability consisted of creating a Pages or Keynote document on the iCloud website with the name field containing the XSS payload. Sharing the document with another user, creating a change, saving, and then clicking "Browse All Versions" under Settings would have triggered the XSS payload.

Given the vulnerability revolved around the iCloud website, it's not linked to a recent software update and has reportedly been patched by Apple server-side. Bharad says he submitted the issue to Apple on August 7, 2020, and received a $5,000 bounty on October 9, 2020. We've reached out to Apple for comment and we'll update if we hear back.

Article Link: Apple Reportedly Patches XSS Vulnerability on iCloud's Website
 
  • Like
Reactions: RandomDSdevel

1258186

Cancelled
Feb 5, 2021
813
1,008
If Apple want to generate more revenue from subscriptions I would happily pay for a pro version of iWork to replace my Office 365 subscription. Keep the existing free version for basic users.
 

1258186

Cancelled
Feb 5, 2021
813
1,008
Thank heavens for honest hackers who are happy with bounty rewards rather than exploiting their find for criminal gains.
 

sdz

macrumors 65816
May 28, 2014
1,055
1,360
Europe/Germany
Agreed, that's peanuts. XSS is a *huge* vulnerability. It allows malicious code to run as trusted first party, complete with keylogging (on that injected page) and token stealing.

First, the attacker must succeed to deploy his javascript on my browser
 

neliason

macrumors 6502
Oct 1, 2015
451
951
I forgot Apple even had a web based interface for Pages etc. I wonder how many people use it? How much does Apple spend maintaining this?

I actually love Pages and Numbers, but I only use them via the apps.
 
  • Like
Reactions: amartinez1660
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.