According to Bharad, the vulnerability consisted of creating a Pages or Keynote document on the iCloud website with the name field containing the XSS payload. Sharing the document with another user, creating a change, saving, and then clicking "Browse All Versions" under Settings would have triggered the XSS payload.
Given the vulnerability revolved around the iCloud website, it's not linked to a recent software update and has reportedly been patched by Apple server-side. Bharad says he submitted the issue to Apple on August 7, 2020, and received a $5,000 bounty on October 9, 2020. We've reached out to Apple for comment and we'll update if we hear back.
This article, "Apple Reportedly Patches XSS Vulnerability on iCloud's Website" first appeared on MacRumors.com
Discuss this article in our forums
via MacRumors: Mac News and Rumors - All Stories https://ift.tt/2ZH1rJ3
No comments:
Post a Comment