Security researcher Vishal Bharad wrote about a stored XSS bug he discovered in iCloud. After disclosing it to Apple on August 7, 2020 he was awarded US$5,000.
Stored XSS iCloud Bug
XSS, or cross-site scripting, is a type of attack where malicious scripts can be injected into a website, like loading a web form with malicious code. Stored XSS means the code is persistent and can be used to attack website visitors.
iCloud’s flaw was found within the Pages and Keynote apps. An attacker could trigger the flaw by creating new content with either of these apps using XSS code. Then, it could be saved and shared with another iCloud user. The attacker would have to change the content, save it again, and visit Settings > Browse All Versions. This would then activate the code.
Mr. Bharad created a proof-of-concept video to demonstrate how it could work.