Apple Fixes Security Vulnerability with Pages and Keynotes in iCloud

BY Mahit Huilgol

Published 22 Feb 2021

Apple has paid a bounty hunter $5000 for discovering a security flaw on iCloud. The security flaw is stored in an XSS file on iCloud.com. It allows attackers to embed malicious codes by creating new Pages or Keynotes documents.

The vulnerability belongs to the XSS class and is typically used to deploy payloads on target servers. Once deployed, it is used to steal personal information, including cookies, browser data and much more. Bharad discovered the vulnerability in the Page/Keynotes on an iCloud domain.

Thankfully it is not easy to trigger the bug, and that explains the less bounty. It can be triggered by creating new Pages or Keynote with an XSS Payload inserted into the name field. Furthermore, the document can be shared with multiple users. However, the attacker needs to make multiple changes to the malicious content.

In order to trigger the bug, an attacker needed to create new Pages or Keynote content with an XSS payload submitted into the name field.

This content would then need to be saved and either sent or shared with another user. An attacker would then be required to make a change or two to the malicious content, save it again, and then visit “Settings” and “Browser All Versions.”

After clicking on this option, the XSS payload would trigger, the researcher said.

Check out the proof of concept video below.

 

Apple opened up its Bug Bounty program for the public in 2019. The payouts range from $5000 to $250000. Recently, an Indian web developer won $100,000 for discovering a bug in ‘Sign in with Apple’ feature. Last year a group of security researchers hacked Apple for months and found several bugs that could take over victims iCloud account.