Hi There,
Renganathan Here, I’m an Ethical Hacker & a Security researcher.
This writeup is shared publicly with the permission of the Apple Product Security Team.
This write-up is about a misconfiguration that I found on iCloud and how I could have accessed the iCloud user’s name, phone number, and email address.
I’ve submitted only one report to Apple till now but It was not a valid one.
After seeing one of my mentors, Hemant Patidar was awarded $$$$ for finding a vulnerability on apple id, I thought should give it a try to apple again :)
I started with iCloud this time instead of starting with apple.com and subdomain enumerations and other stuff.
I’m not an Apple user, I didn’t know the features and functions so was manually exploring them. Then I clicked upon notes and saw something like the one below.
So there’s a link for the iCloud notes which I can share with people.
The link looked something like the one below:
so just like another bug hunter, I was curious to access others’ notes.
I used the below Google Dorks to enumerate all the notes.
site:icloud.com/notes/*
The notes link were crawled only because they were shared publicly, else Google can’t crawl them.
But that doesn’t stop there I need to gain access to others’ notes.
but a few of them gave me this 404 error.
But they returned with a verification requirement
I clicked on verify,
BOOM! (The most expected word LOL)
That just showed me who’s the owner of the notes by exposing the email id.
Again a few of them showed me the owner’s phone number
By opening the link in the private window it showed me the name of the owner
I tried to get a copy of the verification link by modifying the API request but it was not vulnerable. So I reported this as the owner’s details were exposed, my bug was accepted, and I was credited to the apple hall of Fame.
TimeLine:
June 2, 2021 - Reported
June 16, 2021 - Accepted & patch was implemented against crawling the links.
- Completely fixed.
February, 2022 - got listed in their hall of fame.
Thanks for reading :)
Stay Safe.
https://www.instagram.com/renganathanofficial/