Apple fixed a critical bug on its iCloud website. The company had been made aware of this vulnerability by a security researcher and was grateful. The vulnerability had the potential to spread quickly via manipulated iWork documents.
Apple has had a potentially serious security issue in the past. In the present case, however, this was not in a software or operating system version, but in the iCloud website.
Specifically, it was possible for an attacker to exploit the vulnerability through manipulated Pages or Keynote documents; an XSS vulnerability that was placed in the name field of a file was exploited. As a result, further documents with a harmful payload could have been manipulated as soon as the user shares his documents with other users. If he saves it again after a change has been made and for whatever reason goes into version management to view earlier versions of his document, further documents can be infected.
Apple has now fixed the error
The vulnerability was discovered by the security researcher Vishal Bharad, who had already informed Apple about this in August, and in a blog post about the problem reported. In the end it should be worth it for him: Apple paid the expert $ 5,000 finder’s fee.
The vulnerability has been eliminated in the meantime, this was done on the Apple server side, no updates were necessary for this.
Apple, like most tech companies, pays some good money to discover and discreetly report security problems.