Bug Bounty hunter won $5000 by disclosing Stored XSS bug in iCloud

iCloud Neon Sign

Apple is well known for rewarding security researchers and bug bounty hunters for finding a bug in its software infrastructure. This time, Apple rewarded a bug bounty hunter with $5000 for disclosing a stored cross-site scripting (XSS) vulnerability in iCloud, as per his blog post (via ZDNet).

Vishal Bharad found the vulnerability in the Pages/Keynote feature within iCloud. The XSS bug can be used to store payloads on a target server, inject malicious scripts into websites, and could be used to steal browsing data.

How it worked is that an attacker would need to create a document within Pages/Keynote on the iCloud website and save it with an XSS payload as the name of the file. Then, the file needed to be shared or collaborated with the victim.

Following that, the attacker would edit the file and save it, go to the settings page for the document, and click on the “Browse All Versions” button, thereby triggering the payload.

The researcher originally reported the vulnerability to Apple on August 7, 2020 and Apple acknowledged his efforts with a $5000 reward on October 9.

Apple also awarded a group of researchers $51,500 in October 2020 for disclosing multiple bugs as part of its Bug Bounty Program.

At Apple’s Security Bounty page, the company says that it makes it “a priority to resolve confirmed issues as quickly as possible in order to best protect customers.”

Let us know your thoughts in the comments section below.

Bharad also demonstrated the vulnerability in his video below:

$5000 Stored XSS in icloud.com