How I got Apple Hall Of Fame !

Introduction :

When a web application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain

How did I find this ?

  1. Subdomain Enumeration
  2. Probing for Live Assets
  3. Active & Passive reconnaissance

During the third phase, while performing passive reconnaissance. A URL catches my attention.

Tool Used : https://github.com/lc/gau

Passive recon — gau

URL : https://activate.apple.com/success?deviceType=TV&appleId=donmac%40me.com

When I tried opening this URL, I got the following results. At that moment, I realized that it might be vulnerable to text injection.

Response — activate.apple.com

When I supplied content via parameter “appleId” then it was reflected back in the response. The reflection was so beautiful & capable enough to make a victim believe that the modified page is real under the context of the trusted domain

URL : https://activate.apple.com/success?deviceType=TV&appleId={Vulnerable to text injection}

Modified Page — Text injection

Since It was more beautiful than other scenarios of text injection. I quickly made a detailed report and submitted it to apple for review. Guess what ? They accepted the report and made a fix.

Asked for details

How they made a fix ?

  1. Before reporting the issue, When I analyzed source code of the webpage.
  2. I came across a JavaScript file :
  3. https://activate.apple.com/success.4d4adb99f76951f234a1.js
  4. After the fix, they removed the parameter “appleID
Before vs After

Now, Visiting the same URL gives the following result :

Response

Hall of Fame:

Hall of Fame

Timeline :

October 30, 2021 : Reported

November 2, 2021 : Triaged

February 22, 2022 : Resolved

April 20, 2022 : Credited

--

--

--

Cyber security enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cosmostation Weekly vol.28

Push Authentication: Bringing the Most Secure Method of 2FA Mainstream

Technical Analysis of REvil ransomware

{UPDATE} Horse Simulator 3D - Horseback Riding Hack Free Resources Generator

Detection, assessment, and mitigation of vulnerabilities in open source dependencies

Simple Shamir Secret Sharing Scheme

Fiverr ID VERIFICATION- ALL I LEARNED ON THIS ROLLER COASTER JOURNEY.

[MYTHERIA LIVECHAT] ASK AND EARN NFT PRIZES AND $200 WORTH OF MYRA

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
shubhdeep

shubhdeep

Cyber security enthusiast

More from Medium

You need to hear this if you are new/want to start bug hunting

Account Takeover [Using Forgot Password Functionality]

First Bug in Bugcrowd Using Github Dork

“Company name” language:python

fuzzing and credentials leakage..nice bug hunting writeup