How I got 9000 USD by hacking into iCloud


You may be wondering what the hell this image means... This is a summary photo of a possible attack vector that I found on iCloud, but either way, don't pay attention to my poor image handling skills, in the end, you will have a clear view of this image.


Introduction

In this post, I’m going to share a vulnerability that I found in ICloud that could allow an attacker to execute malicious code in another iCloud account. We will see how the attack could be exploited and what an attacker could do in the victims’ accounts.

 

Apple and the iCloud

In December 2020, I came across an amazing tweet of a group of researchers who hacked Apple for 3 Months. In the blog post shared in the tweet, 55 vulnerabilities in the Apple domain are explained. I spent long hours reading the great content, and then I decided to try to hack Apple as well.


My strategy was to focus on a single target: iCloud. I have limited time during the week and I decided to explore iCloud in order to understand the functionalities, the interactions among the subdomains and identify some possible approaches to use.


The XSS Vulnerability

The vulnerability exploited is a Cross-site Scripting in the process of creating a File or a Folder in iCloud Drive.

A Cross-site scripting (a.k.a XSS), briefly speaking, is a type of security vulnerability that allows an attacker to execute malicious code on the victims' browser. There are different ways to do it, in this blog post from BugCrowd you can find a great explanation about this type of attack.


System Context

In iCloud Drive, we are able to upload our files and organize them in folders.




Those Folders and files can be shared with other iCloud users using their emails, or we can simply turn the file/folder public and share its link to any iCloud user interested to have access to it.

Here, the sharing functionality is important in the context of the attack, as it allows the attacker to share the XSS with the victim in that way.



The XSS...

Each folder or file has an Icon where we can see the details and edit name





When the tiny window is opened, along with other information, an HTML span tag is injected into the DOM.



And due to a server misconfiguration, an attacker would be able to include HTML tags on the directory name and it would be loaded into the DOM.



Having the ability to insert new elements in the DOM, the attacker would be able to execute javascript on the page:




The POC

In iCloud Drive, they have a strict CSP which at that time was not allowing me to use script tags or request a domain out of *.icloud.com and *.apple.com but I was able to use event handlers to execute the javascript from the XSS.

In the beginning, I spent some time thinking about what the XSS could do, I had found the XSS and the way to share it. I decided to stop from here and share it immediately with Apple before someone else would do.

Some days later, I sent another report to Apple to be appended to the ticket.

In the final POC, the Attacker shares a folder with the victim where the folder name was:

PLEASE EDIT DIR NAME <img src onerror="(function hacking(){//BAD JS STUFF}())"/>


Inside the Javascript function, I added a code that performed some requests to the iCloud APIs, to retrieve all the files/folder ids and move them to the folder shared by the Attacker, allowing the attacker to get access to all the victim’s files.

In the end, the victim will have all of their files automatically moved to the folder by the XSS and that is the explanation for the image from the beginning of this post.


Points to be considered

In this scenario, the XSS would be fully exploited by the attacker only if the victim accepts the shared folder and decides to open the tiny window. If the tiny window is not opened the XSS would not be executed.

Apart from that, when the attacker shares the malicious folder, the victim can edit the name and remove the XSS, but when it is done, the change occurs only on the victim’s side. Based on that, the attacker would be able to share the same malicious folder with many victims and get access to the files from all the victims that opened the tiny window.

Last but not least, as soon as the attacker is able to see the victims file inside the shared folder, the attacker would be able to stop sharing the Folder, stealing all the files from the victims



In the end, the XSS will move all the files/folders from the victim into the shared folder, and the attacker could remove the access to the victim by performing a data-stealing approach.


Triage Dates

25/01/2021 – OPENED
01/02/2021 – RE-TESTED (fixed)
02/02/2021 – Hall of fame credit
16/02/2021 – Bounty



I need to admit that I had bad nights during the first and second week of February, waiting for news coming from Apple but in the end, I received that nice email.


That is my first write-up, this achievement was very important to me and I am proud I could do it in a short time of learning. One of my goals, when I started, was to find a vulnerability and create a write up for it like all the researchers from the bug bounty community usually do. I take the advantage of this post to thank you all the content creators in the infosec industry as well as everybody from the Bug Bounty community.


A bit of context about me

In August 2020, I decided to start learning about Ethical Hacking and how a Bug Bounty program works. I need to confess that even with many years of experience in the IT Industry in Software Engineering, only now I have a better picture of how challenging and big the IT-Security industry is.

I started by following the #BugBounty community on Twitter. There, many hackers sharing their findings and reports, which help beginners to get familiarized. Also, there are some learning platforms for Ethical Hacking. I'd recommend Web-Security Academy from PortSwigger. Many others can be found with a simple search.

I started the hands-on journey by doing practical labs in learning platforms, while I was getting more familiarized with the content. One of the first things I learned from the community was to avoid jump start with hacking but to try to understand how things work and how we can exploit vulnerabilities. After 3 months, I started trying it and I found my first valid bug (I will disclose it in another post) and my first bounty. I keep learning more and also trying to hack companies on the web, one of them was Apple as we saw above.

Comments

  1. congratulations man.
    i also started learning about infosec at same time as you did :)

    ReplyDelete
  2. apple say investigating it is maybe accepted?

    ReplyDelete
    Replies
    1. There are some cases that they take long time to check. Maybe it can be accepted.

      Delete
  3. did you explained the bad stuff or just showed the alert() popup

    ReplyDelete
    Replies
    1. The report was opened with the simple alert. I explained the bad stuff some days later, maybe it helped to evaluate the severity, I don't know.

      Delete

Post a Comment