ICloud.com DOM-Based XSS! #BugBounty
4/20/2017 I received an email from one of my friends, the email includes an attachment as you see below :
My friend was trying to share video from his IPhone.
Anyway, It’s html files! let’s download the files and see what it’s inside!
Start with : ATT00001.htm
Interesting! It’s simple HTML code but anyway, let’s see how this will look like in a browser.
Let’s look to the source code again, but from the browser this time:
As we notice in both previous photos the html code is presenting icloud.com/attachment…etc. URL.
Let’s decode the ICloud URL and See the parameters which the application use to load the attachment files.
Let’s open the URL
Did you notice that ?! the File name is matching [F] parameter value which is : f=IMG_1749.MOV .
lets check if the developer was aware of cross site scripting!
Fri, Apr 21, 2017 at 5:38 PM :Issue reported to apple.
Fri, Apr 21, 2017 at 5:38 PM : Acknowledgement of email/submission
Fri, Apr 28, 2017 at 6:49 PM : Apple follow up — Report Triaged
Fri, Jun 9, 2017 at 4:26 PM: Apple follow up — to validate the issue
Fri, Jun 9, 2017 at 11:25 PM: Fix Confirmed
Mon, Jul 17, 2017 at 5:52 PM : Apple ask for info to address it on the wall of fame, no bounty.