Apple Reportedly Patches XSS Vulnerability on iCloud's Website

In a blog post shared by ZDNet, security researcher Vishal Bharad claims that he found a bug that would have allowed a hacker to inject a virus or malicious script onto Apple's ‌iCloud‌ website.

24330f3b719ded3a3092a6ff695d8a34

According to Bharad, the vulnerability consisted of creating a Pages or Keynote document on the ‌iCloud‌ website with the name field containing the XSS payload. Sharing the document with another user, creating a change, saving, and then clicking "Browse All Versions" under Settings would have triggered the XSS payload.

Given the vulnerability revolved around the ‌iCloud‌ website, it's not linked to a recent software update and has reportedly been patched by Apple server-side. Bharad says he submitted the issue to Apple on August 7, 2020, and received a $5,000 bounty on October 9, 2020. We've reached out to Apple for comment and we'll update if we hear back.

Top Rated Comments

Razorpit Avatar
23 months ago
Good thing no one ever shares a Pages or Keynote document on iCloud. Could have been catastrophic! ?
Score: 8 Votes (Like | Disagree)
locovaca Avatar
23 months ago

I joke about their usage in the real world, but I use Pages and Numbers regularly. It just feels like I'm the only one.
I use them exclusively. They work fine for local content creation and I just export to doc/excel when I need to share.
Score: 5 Votes (Like | Disagree)
wfulle Avatar
23 months ago

Good thing no one ever shares a Pages or Keynote document on iCloud. Could have been catastrophic! ?
Maybe it would of been fixed faster if Apple made pages a real competitor to Docs and Word
Score: 4 Votes (Like | Disagree)
Razorpit Avatar
23 months ago

Maybe it would of been fixed faster if Apple made pages a real competitor to Docs and Word
I joke about their usage in the real world, but I use Pages and Numbers regularly. It just feels like I'm the only one.
Score: 3 Votes (Like | Disagree)
sdz Avatar
23 months ago

Good thing no one ever shares a Pages or Keynote document on iCloud. Could have been catastrophic! ?
Fantastically analyzed.
Score: 2 Votes (Like | Disagree)
wfulle Avatar
23 months ago

I joke about their usage in the real world, but I use Pages and Numbers regularly. It just feels like I'm the only one.
I might actually try them again because I really do like the simplicity and maybe its gotten better.
Score: 1 Votes (Like | Disagree)

Related Stories

icloud private relay ios 15

Apple Says iOS 15.2 Included No Changes That Would Have Toggled iCloud Private Relay Off

Wednesday January 12, 2022 2:23 pm PST by
iOS 15.2 did not introduce a bug that turned iCloud Private Relay off for some users, Apple said in a statement that was provided to MacRumors. The statement was in response to a T-Mobile claim that iOS 15.2 had automatically toggled the iCloud Private Relay feature off for some users. iCloud Private Relay is an innovative internet privacy service that allows users with an iCloud+ subscription ...
icloud private relay ios 15

EU Mobile Operators Want Apple's iCloud Private Relay Service to Be Outlawed Over Concerns of 'Digital Sovereignty'

Monday January 10, 2022 4:40 am PST by
Major EU mobile operators are reportedly looking for Apple's iCloud Private Relay service to be outlawed because it allegedly infringes upon EU "digital sovereignty," according to a report from The Telegraph. iCloud Private Relay was a feature announced with iOS 15 that encrypts data so that neither Apple nor a third-party can see users' browsing activity in Safari. With iCloud Private Rely...
mozilla firefox banner fixed

Firefox 95 Brings Security, Performance, and Efficiency Improvements to Mac

Friday December 10, 2021 2:32 am PST by
Mozilla has released Firefox 95, featuring a new version of its security sandboxing subsystem called RLBox, and additional performance and efficiency improvements for the macOS version of the web browser. According to the release notes, RLBox is a new technology that hardens Firefox against potential security vulnerabilities in third-party libraries. The sandbox subsystem works by...
icloud windows strong password

Apple Releases iCloud for Windows 13 With Support for ProRes, ProRAW, and Strong Password Generation

Wednesday November 10, 2021 11:07 am PST by
Apple today introduced a major update to iCloud for Windows, bringing the version number for the software to 13. Apple has added support for Apple ProRes videos and Apple ProRAW photos, so files in these formats can now be accessed from Windows PCs via iCloud. All participants of an iCloud Drive shared file or folder are now also able to add or remove people, and Apple has introduced support ...
safari icon blue banner

Safari Bug Allows Websites to Track Your Recent Browsing Activity in Real Time [Updated]

Sunday January 16, 2022 3:37 pm PST by
A bug in WebKit's implementation of a JavaScript API called IndexedDB can reveal your recent browsing history and even your identity, according to a blog post shared on Friday by browser fingerprinting service FingerprintJS. In a nutshell, the bug allows any website that uses IndexedDB to access the names of IndexedDB databases generated by other websites during a user's browsing session....
tmobilelogo

T-Mobile Says iOS 15.2 Bug Turning Off iCloud Private Relay for Some Users

Tuesday January 11, 2022 12:02 pm PST by
T-Mobile has not disabled iCloud Private Relay for its subscribers, in contrast to recent reports suggesting the carrier was preventing iPhone users from enabling the feature. In a statement to Bloomberg's Mark Gurman, T-Mobile said that iOS 15.2 device settings that default to the feature being toggled off, and that Apple has been contacted. T-Mobile explicitly says that iCloud relay has...
ios 15

Apple Stops Signing iOS 15.3 Following iOS 15.3.1 Release, Downgrading No Longer Possible

Thursday February 17, 2022 11:50 am PST by
Following the release of iOS 15.3.1 on February 10, Apple has stopped signing iOS 15.3, the previously available version of iOS that came out in late January. Because iOS 15.3 is no longer being signed, it is not possible to downgrade to that version of iOS if you've updated to iOS 15.3.1. Apple routinely stops signing older versions of software updates after new releases come out in order...
macos big sur ios 14 iphone 12 pro macbook air icloud drive desktop documents hero

Apple Merging 'iCloud Documents and Data' Service With iCloud Drive in May 2022

Tuesday May 11, 2021 2:36 am PDT by
Apple plans to merge its iCloud Documents and Data service with iCloud Drive starting in May of 2022, according to a support document published late last week (via MacGeneration). iCloud Drive and iCloud Documents and Data share the fundamental ability to backup data from apps. However, iCloud Documents and Data was often a cumbersome, confusing experience. In contrast, iCloud Drive is more...

Popular Stories

General Black Friday Deals 2022 Green

All the Apple Black Friday Deals You Can Still Get

Friday November 25, 2022 4:40 am PST by
Although Black Friday is now technically over, many Apple products are still seeing major discounts through the weekend as we head into Cyber Monday. In this article, you'll find every Apple device with a notable Black Friday sale that's still available. We'll be updating as prices change and new deals arrive, so be sure to keep an eye out if you don't see the sale you're looking for yet. Note:...
iphone 14 pro hands snowflakes 1

Best Cyber Monday iPhone Deals Available Today

Wednesday November 23, 2022 1:55 pm PST by
Cellular carriers have always offered big savings on the newest iPhone models during the holidays, and Cyber Monday is no different. We're tracking notable offers on the iPhone 14 and iPhone 14 Pro devices from AT&T, Verizon, and T-Mobile. For even more savings, keep an eye on older models like the iPhone 13. Note: MacRumors is an affiliate partner with some of these vendors. When you click a...
maxresdefault

Nothing Phone 1 Displays AirPods Battery Level After Latest OS Update

Friday November 25, 2022 3:33 am PST by
Nothing Phone 1 users today began receiving the Nothing OS 1.1.7 update, which adds support for displaying the battery percentage of connected AirPods, amongst other improvements and bug fixes. If you own a Nothing Phone 1, you can check for the OTA update by going to Settings -> System -> System updates. Bear in mind that as support for displaying AirPods battery level is still an...
ipad holiday bulbs

Best Cyber Monday iPad Deals Available Today

Thursday November 24, 2022 12:25 pm PST by
Cyber Monday deals have been in full swing since Black Friday deals ended, and we're seeing solid discounts on Apple devices. We're highlighting the best sales for all of Apple's product lines, and in this article you'll find the best Cyber Monday sales on iPad, iPad Pro, iPad Air, and iPad mini. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make ...
airpods pro 2

Apple Engineer Addresses Lack of Lossless Support on New AirPods Pro

Friday November 25, 2022 2:58 am PST by
An Apple engineer has addressed the lack of lossless audio support in the second-generation AirPods Pro in a new interview. Current Bluetooth technology in the AirPods lineup means that Apple's audio products do not support Apple Music Lossless audio. Apple has previously hinted that it may develop its own codec and connectivity standard that builds on AirPlay and supports higher quality...
Cyber Monday Deals Feature 2022

Best Cyber Monday Apple Deals Still Available for AirPods, Apple TV, iPad, and More

Monday November 28, 2022 5:24 am PST by
The Black Friday and Cyber Monday holiday shopping rush is drawing to a close, but there are still some good deals to be had out there. For Apple products, many of the deals you've seen since last week are still available, though some have expired. So for anyone who missed out on Black Friday deals, there's still an opportunity to get some of the year's best prices on many Apple devices. Note: ...
Apple Watch Ultra Oceanic Plus App

Apple Announces Oceanic+ App Now Available for Apple Watch Ultra

Monday November 28, 2022 6:11 am PST by
Apple today announced that the Oceanic+ app is available for the Apple Watch Ultra starting today. Designed by Huish Outdoors in collaboration with Apple, the app serves as a dive computer for recreational scuba diving at depths up to 40 meters/130 feet. Apple already offers a basic Depth app on the Apple Watch Ultra for viewing your current depth, maximum depth reached, water temperature,...
Three Biggest iPhone SE 4 Questions Feature

Three Biggest Questions About the iPhone SE 4

Saturday November 26, 2022 12:00 am PST by
While we already have some clear indications about what to expect from the fourth-generation iPhone SE, there are three major questions looming over the device at the current time. Chinese site MyDrivers and and leaker Jon Prosser believe that the iPhone SE is set to move to an iPhone XR-like design in its next incarnation, which would involve eliminating the Home button and adding a "notch" ...