Vishal Bharad, an Indian bug hunter and pentester, explained in a blog post, how he discovered an XSS vulnerability on iCloud.com.
Initially, the researcher searched the site for vulnerabilities related to CSRF (Cross-Site Request Forgery), IDOR (Insecure Direct Object Reference), logical errors, and so on, but by accident discovered XSS vulnerability.
The vulnerability was present in Apple Pages and Keynote hosted on iCloud. Exploiting the bug meant creating a new document or presentation and injecting an XSS payload into the name field.
Basically, in order to exploit the problem, the attacker had to share a link to a malicious document or presentation with his victim, and then convince her to enter the settings and use the Browse All Versions function. As soon as the victim clicked on Browse All Versions, the attacker’s malicious payload was launched in the browser. An example of such an attack can be seen below.
Bharad says that he discovered the problem back in August 2020 and he immediately reported about it to Apple. The vulnerability was fixed only in the fall, and in October 2020, company paid a reward of $5,000 to an expert for discovering this bug.
Let me remind you that in 2020, Google paid cybersecurity experts $6.7 million, and I also wrote that Researcher Earned More than $2,000,000 on HackerOne.