A security vulnerability in iCloud that could have been used to send malware to Mac users has now been patched by Apple, according to a new blog post.
It allowed an attacker to embed malicious code in either Pages or Keynote documents, which could then be shared with others…
Bug bounty hunter and penetration tester Vishal Bharad claims to have discovered the security flaw, which is a stored XSS issue in icloud.com.
Stored XSS vulnerabilities, also known as persistent XSS, can be used to store payloads on a target server, inject malicious scripts into websites, and potentially be used to steal cookies, session tokens, and browser data.
According to Bharad, the XSS flaw in icloud.com was found in the Page/Keynotes features of Apple’s iCloud domain.
Bharad says Apple paid him a $5,000 bug bounty for finding and reporting it.
The relatively small payout for what was potentially a very serious flaw was likely due to the very specific steps required to trigger it, making it tricky to exploit.
In order to trigger the bug, an attacker needed to create new Pages or Keynote content with an XSS payload submitted into the name field.
This content would then need to be saved and either sent or shared with another user. An attacker would then be required to make a change or two to the malicious content, save it again, and then visit “Settings” and “Browser All Versions.”
After clicking on this option, the XSS payload would trigger, the researcher said.
You can see below a video proof of concept.
Apple first introduced security bug bounties back in 2016, but came under attack from security researchers on two fronts. First, it was an invitation-only program; second, the maximum payout was $200K. Both factors were said to incentivize people to sell the information to governments and black-hat companies that would exploit them to break into Apple devices. Late last year, the Cupertino company addressed both issues by opening up the program to all, and increasing the maximum payout to $1.5M.