A security researcher from India was awarded $5,000 from Apple via its bug bounty program, after discovering a cross-site scripting (XSS) flaw in iCloud. Since the discovery of the issue, Apple has patched the issue in iCloud.com.
The vulnerability found by Vishal Bharad involved creating a file in Pages or Keynotes on the iCloud website, part of Apple’s iWork
bundle. The file was created with a specific name that contained the desired XSS
payload.After sending the file to another user or collaborating with them, the attacker then had to make changes to the document and save it, the researcher advised in a blog post
. Changing “Browse All Versions” in Settings then triggers the running of the XSS payload on the other user’s device.
Source: APPLE INSIDER