Apple Reportedly Patches XSS Vulnerability on iCloud's Website

In a blog post shared by ZDNet, security researcher Vishal Bharad claims that he found a bug that would have allowed a hacker to inject a virus or malicious script onto Apple's ‌iCloud‌ website.

24330f3b719ded3a3092a6ff695d8a34

According to Bharad, the vulnerability consisted of creating a Pages or Keynote document on the ‌iCloud‌ website with the name field containing the XSS payload. Sharing the document with another user, creating a change, saving, and then clicking "Browse All Versions" under Settings would have triggered the XSS payload.

Given the vulnerability revolved around the ‌iCloud‌ website, it's not linked to a recent software update and has reportedly been patched by Apple server-side. Bharad says he submitted the issue to Apple on August 7, 2020, and received a $5,000 bounty on October 9, 2020. We've reached out to Apple for comment and we'll update if we hear back.

Top Rated Comments

Razorpit Avatar
17 months ago
Good thing no one ever shares a Pages or Keynote document on iCloud. Could have been catastrophic! ?
Score: 8 Votes (Like | Disagree)
locovaca Avatar
17 months ago

I joke about their usage in the real world, but I use Pages and Numbers regularly. It just feels like I'm the only one.
I use them exclusively. They work fine for local content creation and I just export to doc/excel when I need to share.
Score: 5 Votes (Like | Disagree)
wfulle Avatar
17 months ago

Good thing no one ever shares a Pages or Keynote document on iCloud. Could have been catastrophic! ?
Maybe it would of been fixed faster if Apple made pages a real competitor to Docs and Word
Score: 4 Votes (Like | Disagree)
Razorpit Avatar
17 months ago

Maybe it would of been fixed faster if Apple made pages a real competitor to Docs and Word
I joke about their usage in the real world, but I use Pages and Numbers regularly. It just feels like I'm the only one.
Score: 3 Votes (Like | Disagree)
sdz Avatar
17 months ago

Good thing no one ever shares a Pages or Keynote document on iCloud. Could have been catastrophic! ?
Fantastically analyzed.
Score: 2 Votes (Like | Disagree)
wfulle Avatar
17 months ago

I joke about their usage in the real world, but I use Pages and Numbers regularly. It just feels like I'm the only one.
I might actually try them again because I really do like the simplicity and maybe its gotten better.
Score: 1 Votes (Like | Disagree)

Related Stories

icloud private relay ios 15

Apple Says iOS 15.2 Included No Changes That Would Have Toggled iCloud Private Relay Off

Wednesday January 12, 2022 2:23 pm PST by
iOS 15.2 did not introduce a bug that turned iCloud Private Relay off for some users, Apple said in a statement that was provided to MacRumors. The statement was in response to a T-Mobile claim that iOS 15.2 had automatically toggled the iCloud Private Relay feature off for some users. iCloud Private Relay is an innovative internet privacy service that allows users with an iCloud+ subscription ...
icloud private relay ios 15

EU Mobile Operators Want Apple's iCloud Private Relay Service to Be Outlawed Over Concerns of 'Digital Sovereignty'

Monday January 10, 2022 4:40 am PST by
Major EU mobile operators are reportedly looking for Apple's iCloud Private Relay service to be outlawed because it allegedly infringes upon EU "digital sovereignty," according to a report from The Telegraph. iCloud Private Relay was a feature announced with iOS 15 that encrypts data so that neither Apple nor a third-party can see users' browsing activity in Safari. With iCloud Private Rely...
mozilla firefox banner fixed

Firefox 95 Brings Security, Performance, and Efficiency Improvements to Mac

Friday December 10, 2021 2:32 am PST by
Mozilla has released Firefox 95, featuring a new version of its security sandboxing subsystem called RLBox, and additional performance and efficiency improvements for the macOS version of the web browser. According to the release notes, RLBox is a new technology that hardens Firefox against potential security vulnerabilities in third-party libraries. The sandbox subsystem works by...
icloud windows strong password

Apple Releases iCloud for Windows 13 With Support for ProRes, ProRAW, and Strong Password Generation

Wednesday November 10, 2021 11:07 am PST by
Apple today introduced a major update to iCloud for Windows, bringing the version number for the software to 13. Apple has added support for Apple ProRes videos and Apple ProRAW photos, so files in these formats can now be accessed from Windows PCs via iCloud. All participants of an iCloud Drive shared file or folder are now also able to add or remove people, and Apple has introduced support ...
safari icon blue banner

Safari Bug Allows Websites to Track Your Recent Browsing Activity in Real Time [Updated]

Sunday January 16, 2022 3:37 pm PST by
A bug in WebKit's implementation of a JavaScript API called IndexedDB can reveal your recent browsing history and even your identity, according to a blog post shared on Friday by browser fingerprinting service FingerprintJS. In a nutshell, the bug allows any website that uses IndexedDB to access the names of IndexedDB databases generated by other websites during a user's browsing session....
tmobilelogo

T-Mobile Says iOS 15.2 Bug Turning Off iCloud Private Relay for Some Users

Tuesday January 11, 2022 12:02 pm PST by
T-Mobile has not disabled iCloud Private Relay for its subscribers, in contrast to recent reports suggesting the carrier was preventing iPhone users from enabling the feature. In a statement to Bloomberg's Mark Gurman, T-Mobile said that iOS 15.2 device settings that default to the feature being toggled off, and that Apple has been contacted. T-Mobile explicitly says that iCloud relay has...
ios 15

Apple Stops Signing iOS 15.3 Following iOS 15.3.1 Release, Downgrading No Longer Possible

Thursday February 17, 2022 11:50 am PST by
Following the release of iOS 15.3.1 on February 10, Apple has stopped signing iOS 15.3, the previously available version of iOS that came out in late January. Because iOS 15.3 is no longer being signed, it is not possible to downgrade to that version of iOS if you've updated to iOS 15.3.1. Apple routinely stops signing older versions of software updates after new releases come out in order...
macos big sur ios 14 iphone 12 pro macbook air icloud drive desktop documents hero

Apple Merging 'iCloud Documents and Data' Service With iCloud Drive in May 2022

Tuesday May 11, 2021 2:36 am PDT by
Apple plans to merge its iCloud Documents and Data service with iCloud Drive starting in May of 2022, according to a support document published late last week (via MacGeneration). iCloud Drive and iCloud Documents and Data share the fundamental ability to backup data from apps. However, iCloud Documents and Data was often a cumbersome, confusing experience. In contrast, iCloud Drive is more...

Popular Stories

iPhone 14 Pro Purple Front and Back MacRumors Exclusive

iPhone 14 Pro Renders Highlight Multiple Design Changes

Wednesday May 25, 2022 8:56 am PDT by
Leaker Jon Prosser today shared ostensibly accurate renders of the iPhone 14 Pro, providing the most accurate look yet at what the device could look like when it launches later this year. In the latest video on YouTube channel Front Page Tech, Prosser revealed renders of the iPhone 14 Pro made by Apple concept graphic designer Ian Zelbo, highlighting a range of specific design changes...
iPad Pro USB C Feature Coral

Deals: Apple's iPad Pro Reaches Up to $449 Off in Amazon's Latest Sales

Wednesday May 25, 2022 10:09 am PDT by
Amazon is marking down a wide variety of 11-inch and 12.9-inch iPad Pro models this week, with prices starting as low as $749.00 for the 11-inch tablet. You'll find the full list of sales below, all of which can be found on Amazon. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep...
apple account card

Wallet App Now Supports Apple Account Cards on iOS 15.5

Wednesday May 25, 2022 5:01 pm PDT by
Apple appears to have recently updated the Wallet app to allow users to add an Apple Account Card, which displays the Apple credit balance associated with an Apple ID. If you receive an App Store or Apple Store gift card, for example, it is added to an Apple Account that was previously visible in the App Store and Apple Store apps. As of today, the Apple Account balance can also be added to...
iphone 13 pro max display bleen

iPhone 14 Max Reportedly Weeks Behind Schedule [Updated]

Thursday May 26, 2022 7:25 am PDT by
The iPhone 14 Max is currently behind schedule by around three weeks, according to Haitong International Securities analyst Jeff Pu. Yesterday, Nikkei Asia reported that at least one iPhone 14 model was three weeks behind schedule due to the impact of lockdowns on Apple's supply chains in China, but it was not clear which iPhone 14 model this related to. Now, Pu has clarified that the model...
iPhone 13 Always On Feature

iPhone 14 Pro Screen Refresh Rate Upgrade Could Allow for Always-On Display

Tuesday May 24, 2022 7:23 am PDT by
Last year's iPhone 13 Pro models were the first of Apple's smartphones to come with 120Hz ProMotion displays, and while the two iPhone 14 Pro models will continue to feature the technology, their screens could well boast expanded refresh rate variability this time round. To bring ProMotion displays to the ‌iPhone 13 Pro models‌, Apple adopted LTPO panel technology with variable refresh...
Apple Tap to Pay iPhone

Apple Stores Rolling Out iPhone-to-iPhone Contactless Payments Starting Today

Wednesday May 25, 2022 6:54 am PDT by
Apple in February unveiled a new "Tap to Pay on iPhone" feature that will allow compatible iPhones to accept payments via Apple Pay, contactless credit and debit cards, and other digital wallets, with no additional hardware required. Apple began testing the feature at its Apple Park Visitor Center earlier this month, and now Bloomberg's Mark Gurman has tweeted that the feature will begin...
apple tv 4k design green

Apple Releases tvOS 15.5.1 for Apple TV HD and Apple TV 4K

Wednesday May 25, 2022 9:42 am PDT by
Apple today released tvOS 15.5.1, a minor update to the tvOS operating system that first launched in September 2021. tvOS 15.5.1 comes about 10 days after the launch of tvOS 15.5. tvOS 15.5.1 can be downloaded over the air on the Apple TV through the Settings app by going to System > Software Update. ‌‌‌‌‌‌Apple TV‌‌‌‌‌‌ owners who have automatic software updates...