Apple pays $5,000 bug bounty for iCloud XSS bug discovery

By Malcolm Owen

A security researcher from India was awarded $5,000 from Apple via its bug bounty program, after discovering a cross-site scripting (XSS) flaw in iCloud. Since the discovery of the issue, Apple has patched the issue in iCloud.com.

The vulnerability found by Vishal Bharad involved creating a file in Pages or Keynotes on the iCloud website, part of Apple's iWork bundle. The file was created with a specific name that contained the desired XSS payload.

After sending the file to another user or collaborating with them, the attacker then had to make changes to the document and save it, the researcher advised in a blog post. Changing "Browse All Versions" in Settings then triggers the running of the XSS payload on the other user's device.

The bug has been known to Apple for quite a while, with Bahrad disclosing it to the company on August 7, 2020. After reviewing the report and the steps to reproduce, as well as a video demonstrating the bug, Apple awarded Bharad with $5,000 on October 9. Bharad publicly disclosed the flaw on February 14.

The researcher admitted that the bug was discovered as part of a fishing trip to try and uncover at least one issue with the iCloud website. After failing to find issues in areas such as CSRF, IDOR, and business logic bugs, Bharad then moved onto XSS bug-finding, a weak area for the researcher.

They then "inserted payloads everywhere" in a bid to find ways to view and trigger a payload that wasn't previously discovered, which they ultimately managed to accomplish.

On Thursday, Apple published a detailed guide to security mechanisms included in its software and hardware products. This included updates on security features relating to the M1 chip, the iMessage sandboxing mechanism called BlastDoor, and its bug bounty program.

Apple opened up its bug bounty program to all researchers in 2019 at the same time as increasing the rates of pay for disclosed bugs to a ceiling of $1 million in limited cases. The lucrative rewards have attracted many to start taking on Apple's security.

One "Sign In with Apple" vulnerability disclosed in May 2020 earned its discoverer $100,000, while a team of researchers spent three months hacking Apple and earned more than $50,000 in October.

On February 10, it was revealed a security researcher had hacked the internal systems of multiple major companies, including Apple, Microsoft, and PayPal. They earned more than $130,000 in bug bounties, with Apple contributing $30,000.