How I Found Stored XSS In Apple

Few weeks ago I tried hunting or searching for bugs in Apple.
Then my Internet friend from Iraq chatted me about the bug he found and was resolved in one of apple subdomains and it was XSS. I got interested on his finding, so I tried to bypass his finding but apple already implemented WAF protection. I also tried to bypass WAF using different methodologies but felt unlucky. Then later on, I remember iCloud.

iCloud is the service from Apple that securely stores your photos, files, notes, passwords, and other data in the cloud and keeps it up to date across all your devices, automatically.

Exploitation

I tried to upload malicious files and observe the behavior through web. When I open the files, iCloud will force users to download instead of opening the file directly in their server. However, when I try to upload and open a simple PDF, it allows me to preview the file using the pdf viewer embedded in the browser.

So what I did next is I injected an xss in PDF and upload it right away in iCloud. When I open the file BOOM!! The payload was triggered and an alert messaged popped up.

xss triggered when user view the pdf

I quickly reported it to APPLE using their bug bounty program. But they refuse to fix my report. Anyway, I did not expect that I can still find these bugs on giant companies like APPLE and who knows what I might find in the future.

Thanks for reading my writeup 😁.

If you have question, you can reach me on Facebook | Twitter