Security News > 2021 > February > Stored XSS Vulnerability on iCloud.com Earned Researcher $5,000
A bug bounty hunter claims he has earned a $5,000 reward from Apple for reporting a stored cross-site scripting vulnerability on iCloud.com.
Vishal Bharad, a researcher and penetration tester from India, published a blog post earlier this week describing his findings.
Bharad said he had attempted to find cross-site request forgery, insecure direct object reference, logic bugs and other types of issues on Apple's icloud.com website, but ultimately ended up discovering a stored XSS flaw.
Exploitation involved creating a new document or presentation and entering an XSS payload into its name field.
The researcher has published a blog post detailing his findings, as well as a video showing how an attack worked.
Bug bounty platform HackerOne reported last year that its members had earned more than $4 million for XSS vulnerabilities.