Pentester Nepal
Published in

Pentester Nepal

How I found a bug in Apple within just in 5min.

Summary: I discovered a Cross-site Scripting (XSS) vulnerability in one of the acquisition sites of apple which is

It was May 15, 2020, I was looking in Apple web server notifications.

In which an article provides credit to people who have reported potential security issues in Apple’s web servers. I noticed here that apple is giving credit to researchers here along with the domain in which they found a bug, I was scrolling & found an acquisition domain name called “” I quickly visit to see that if I can find any bug there..!

I was checking the tabs in a site where I found the event tab I click on it

Now here I can create an event that has a certain field to fill the event details. I quickly fill the fields with XSS payload wherever it is possible to put :D. And at last, I preview the form now the XSS is executed here BOOM !!!! :V.

XSS executed after filling the fields with payload & click on the preview!

I quickly made a report & sent it to and they reply with an automated email response of receiving the report on May 19, 2020.

On May 27, 2020, They fixed the issue & reply with this below email:-

Although this issue does not qualify for a reward through the Apple Security Bounty program, we do provide the recognition of being listed in our security advisory when a reported issue is addressed.

I was aware of this but I was happy to be listed in their security advisory.

you can find my name on below Apple Credit page:-

#Moral:- If you didn’t found a bug in the main domain look into the acquisition domain.

Here is the proof of concept video file in the link below:-






Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store