Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Apple Reportedly Patches XSS Vulnerability on iCloud's Website

MacRumors

macrumors bot
Original poster
Apr 12, 2001
51,488
13,129


In a blog post shared by ZDNet, security researcher Vishal Bharad claims that he found a bug that would have allowed a hacker to inject a virus or malicious script onto Apple's ‌iCloud‌ website.



According to Bharad, the vulnerability consisted of creating a Pages or Keynote document on the iCloud website with the name field containing the XSS payload. Sharing the document with another user, creating a change, saving, and then clicking "Browse All Versions" under Settings would have triggered the XSS payload.

Given the vulnerability revolved around the iCloud website, it's not linked to a recent software update and has reportedly been patched by Apple server-side. Bharad says he submitted the issue to Apple on August 7, 2020, and received a $5,000 bounty on October 9, 2020. We've reached out to Apple for comment and we'll update if we hear back.

Article Link: Apple Reportedly Patches XSS Vulnerability on iCloud's Website
 
  • Like
Reactions: RandomDSdevel

wfulle

macrumors member
Nov 12, 2020
31
56
I joke about their usage in the real world, but I use Pages and Numbers regularly. It just feels like I'm the only one.
I might actually try them again because I really do like the simplicity and maybe its gotten better.
 
Comment

Aeronauts

macrumors member
Feb 5, 2021
57
50
If Apple want to generate more revenue from subscriptions I would happily pay for a pro version of iWork to replace my Office 365 subscription. Keep the existing free version for basic users.
 
Comment

Aeronauts

macrumors member
Feb 5, 2021
57
50
Thank heavens for honest hackers who are happy with bounty rewards rather than exploiting their find for criminal gains.
 
Comment

sdz

Suspended
May 28, 2014
712
818
Europe/Germany
Agreed, that's peanuts. XSS is a *huge* vulnerability. It allows malicious code to run as trusted first party, complete with keylogging (on that injected page) and token stealing.

First, the attacker must succeed to deploy his javascript on my browser
 
Comment

neliason

macrumors 6502
Oct 1, 2015
412
760
I forgot Apple even had a web based interface for Pages etc. I wonder how many people use it? How much does Apple spend maintaining this?

I actually love Pages and Numbers, but I only use them via the apps.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.