ICloud.com DOM-Based XSS! #BugBounty

4/20/2017 I received an email from one of my friends, the email includes an attachment as you see below :

Icloud XSS

My friend was trying to share video from his IPhone.

Anyway, It’s html files! let’s download the files and see what it’s inside!

Start with : ATT00001.htm

icloud xss

Nothing interesting!

ATT00002.htm

icloud xss

Interesting! It’s simple HTML code but anyway, let’s see how this will look like in a browser.

icloud xss

Let’s look to the source code again, but from the browser this time:

As we notice in both previous photos the html code is presenting icloud.com/attachment…etc. URL.

Let’s decode the ICloud URL and See the parameters which the application use to load the attachment files.

icloud xss

Let’s open the URL

icloud xss

Did you notice that ?! the File name is matching [F] parameter value which is : f=IMG_1749.MOV .

lets check if the developer was aware of cross site scripting!

icloud xss

Ctrl + U ,look into source code for the issue reason : “/attachment/1813Project43/en-us/javascript-packed.js”:

Fri, Apr 21, 2017 at 5:38 PM :Issue reported to apple.

Fri, Apr 21, 2017 at 5:38 PM : Acknowledgement of email/submission

Fri, Apr 28, 2017 at 6:49 PM : Apple follow up — Report Triaged

Fri, Jun 9, 2017 at 4:26 PM: Apple follow up — to validate the issue

Fri, Jun 9, 2017 at 11:25 PM: Fix Confirmed

Mon, Jul 17, 2017 at 5:52 PM : Apple ask for info to address it on the wall of fame, no bounty.