Apple Reportedly Patches XSS Vulnerability on iCloud's Website

In a blog post shared by ZDNet, security researcher Vishal Bharad claims that he found a bug that would have allowed a hacker to inject a virus or malicious script onto Apple's ‌iCloud‌ website.

24330f3b719ded3a3092a6ff695d8a34

According to Bharad, the vulnerability consisted of creating a Pages or Keynote document on the ‌iCloud‌ website with the name field containing the XSS payload. Sharing the document with another user, creating a change, saving, and then clicking "Browse All Versions" under Settings would have triggered the XSS payload.

Given the vulnerability revolved around the ‌iCloud‌ website, it's not linked to a recent software update and has reportedly been patched by Apple server-side. Bharad says he submitted the issue to Apple on August 7, 2020, and received a $5,000 bounty on October 9, 2020. We've reached out to Apple for comment and we'll update if we hear back.

Top Rated Comments

Razorpit Avatar
8 months ago
Good thing no one ever shares a Pages or Keynote document on iCloud. Could have been catastrophic! ?
Score: 8 Votes (Like | Disagree)
locovaca Avatar
8 months ago

I joke about their usage in the real world, but I use Pages and Numbers regularly. It just feels like I'm the only one.
I use them exclusively. They work fine for local content creation and I just export to doc/excel when I need to share.
Score: 5 Votes (Like | Disagree)
wfulle Avatar
8 months ago

Good thing no one ever shares a Pages or Keynote document on iCloud. Could have been catastrophic! ?
Maybe it would of been fixed faster if Apple made pages a real competitor to Docs and Word
Score: 4 Votes (Like | Disagree)
Razorpit Avatar
8 months ago

Maybe it would of been fixed faster if Apple made pages a real competitor to Docs and Word
I joke about their usage in the real world, but I use Pages and Numbers regularly. It just feels like I'm the only one.
Score: 3 Votes (Like | Disagree)
sdz Avatar
8 months ago

Good thing no one ever shares a Pages or Keynote document on iCloud. Could have been catastrophic! ?
Fantastically analyzed.
Score: 2 Votes (Like | Disagree)
wfulle Avatar
8 months ago

I joke about their usage in the real world, but I use Pages and Numbers regularly. It just feels like I'm the only one.
I might actually try them again because I really do like the simplicity and maybe its gotten better.
Score: 1 Votes (Like | Disagree)

Top Stories

iOS 14

Apple Stops Signing iOS 14.4.2 After Releasing iOS 14.5.1 With Fix for Actively Exploited Security Issues

Monday May 3, 2021 1:25 pm PDT by
Following today's release of iOS 14.5.1 and last week's release of iOS 14.5, Apple has stopped signing iOS 14.4.2, the previously available version of iOS 14 released on March 26. With iOS 14.4.2 no longer being signed, it is not possible to downgrade to iOS 14.4.2 from iOS 14.5 or iOS 14.5.1 if you've already updated your iPhone or iPad. Apple routinely stops signing older versions of...
Ports 2021 MacBook Pro Mockup Feature 1 copy

Hacker Group Mysteriously Removes Stolen Apple Schematics and Extortion Threat From Ransomware Website

Monday April 26, 2021 5:00 am PDT by
A ransomware group that last week stole schematics from Apple supplier Quanta Computer and threatened to release the trove of documents has mysteriously removed all references related to the extortion attempt from its dark web blog, MacRumors can confirm. The ransomware group known as REvil claimed last Tuesday that it had accessed the internal computers of Taiwan-based Quanta and managed to ...
icloud services issue

iCloud Drive, Notes, Photos, and iCloud Backup Experiencing Issues [Update: Fixed]

Wednesday February 3, 2021 10:56 am PST by
Several of Apple's services are experiencing an outage at the current time, with Apple noting service interrupts for iCloud Backup, iCloud Drive, iCloud Notes, iCloud Storage Upgrades, and Photos on its System Status page. The issue has been ongoing since approximately 10:13 a.m. Pacific Time. Apple says that users may be unable to use these services during the outage, so features like...
apple system status app store outage

Apple Says App Store, iMessage, iCloud Drive, and Other iCloud Services Are Experiencing Issues [Update: Fixed]

Monday March 29, 2021 10:51 am PDT by
The App Store and Mac App Store are currently experiencing an outage, according to Apple's System Status page. Apple says that App Store services could be slow or unavailable for some users, with the problem starting at 10:05 a.m. Pacific Time. Other services like iCloud Drive, iCloud Mail, and iMessage are also listed as experiencing issues, with some users unable to access Apple's...
icloud

Apple Temporarily Expands iCloud Storage in iOS 15 for Backing Up Data and Transferring to a New Device

Monday June 7, 2021 1:18 pm PDT by
If you're low on iCloud storage but want to buy a new device and transfer your data, Apple is making the process easier in iOS 15 with a temporary storage boost. Apple says that the new feature will grant you as much storage as you need to complete a temporary backup for up to three weeks, letting users transfer their apps, data, and settings to a new device using iCloud even when there's an ...
f1623088657

Apple Announces iCloud+, Combines Paid Storage With Privacy Features Like Hide My Email

Monday June 7, 2021 11:00 am PDT by
At WWDC, Apple announced that iCloud is getting a premium subscription tier called "iCloud+," which includes "Private Relay" that allows users to browse the web through Safari with all information leaving their device remaining encrypted and access to "Hide My Email." One of the headlining features for iCloud+ is Private Relay, which, similarly to a VPN, ensures that all traffic leaving a...
homekit secure video package

HomeKit Secure Video Cameras Can Notify You When a Package Has Arrived Starting With iOS 15

Monday June 7, 2021 4:09 pm PDT by
Starting with iOS 15 and iPadOS 15, which will be publicly released in the fall, security cameras and video doorbells that support HomeKit Secure Video can now detect and notify you when a package has been delivered. HomeKit Secure Video, available on iOS 13.2 and later, leverages iCloud to securely stream and store video clips from compatible HomeKit-enabled indoor and outdoor cameras and...
safari macos icon banner

Apple Releases New Safari 14.1 Update for macOS Catalina and Mojave With Security Fix

Tuesday May 4, 2021 2:32 pm PDT by
Apple today released a new version of Safari 14.1 for macOS Catalina and macOS Mojave users, with the update introducing fixes for two WebKit vulnerabilities that were patched in macOS Big Sur yesterday. Apple's support document for the updated Safari release confirms that it addresses the same WebKit memory corruption issue and an integer overflow bug for users of older versions of macOS. ...
jamf malware secret screenshots

macOS Big Sur 11.4 Addresses Vulnerability That Could Let Attackers Take Secret Screenshots

Monday May 24, 2021 5:26 pm PDT by
macOS Big Sur 11.4, which was released this morning, addresses a zero-day vulnerability that could allow attackers to piggyback off of apps like Zoom, taking secret screenshots and surrepetiously recording the screen. Jamf, a mobile device management company, today highlighted a security issue that allowed Privacy preferences to be bypassed, providing an attacker with Full Disk Access,...
mail ios app icon

Apple Says iCloud Mail is Experiencing an Outage [Resolved]

Monday April 26, 2021 6:43 am PDT by
iCloud Mail has been experiencing an outage that began a few hours ago, and some users may be experiencing intermittent issues with accessing their inbox as a result, according to Apple's system status page. Only some users are affected by the outage, according to Apple, so your mileage may vary. We'll update this story once the issue is marked as resolved. There was also an iCloud Keychain ...