How I found a bug in Apple within just in 5min.
Summary: I discovered a Cross-site Scripting (XSS) vulnerability in one of the acquisition sites of apple which is Filemaker.com
It was May 15, 2020, I was looking in Apple web server notifications.
In which an article provides credit to people who have reported potential security issues in Apple’s web servers. I noticed here that apple is giving credit to researchers here along with the domain in which they found a bug, I was scrolling & found an acquisition domain name called “Filemaker.com” I quickly visit to see that if I can find any bug there..!
I was checking the tabs in a site where I found the event tab I click on it
Now here I can create an event that has a certain field to fill the event details. I quickly fill the fields with XSS payload wherever it is possible to put :D. And at last, I preview the form now the XSS is executed here BOOM !!!! :V.
I quickly made a report & sent it to firstname.lastname@example.org and they reply with an automated email response of receiving the report on May 19, 2020.
On May 27, 2020, They fixed the issue & reply with this below email:-
I was aware of this but I was happy to be listed in their security advisory.
you can find my name on below Apple Credit page:-
Apple web server notifications
A server configuration issue was addressed. We would like to acknowledge Joseph Thacker for reporting this issue…
#Moral:- If you didn’t found a bug in the main domain look into the acquisition domain.
Here is the proof of concept video file in the link below:-