Introduction :
When a web application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain
How did I find this ?
- Subdomain Enumeration
- Probing for Live Assets
- Active & Passive reconnaissance
During the third phase, while performing passive reconnaissance. A URL catches my attention.
Tool Used : https://github.com/lc/gau
URL : https://activate.apple.com/success?deviceType=TV&appleId=donmac%40me.com
When I tried opening this URL, I got the following results. At that moment, I realized that it might be vulnerable to text injection.
When I supplied content via parameter “appleId” then it was reflected back in the response. The reflection was so beautiful & capable enough to make a victim believe that the modified page is real under the context of the trusted domain
URL : https://activate.apple.com/success?deviceType=TV&appleId={Vulnerable to text injection}
Since It was more beautiful than other scenarios of text injection. I quickly made a detailed report and submitted it to apple for review. Guess what ? They accepted the report and made a fix.
How they made a fix ?
- Before reporting the issue, When I analyzed source code of the webpage.
- I came across a JavaScript file :
- https://activate.apple.com/success.4d4adb99f76951f234a1.js
- After the fix, they removed the parameter “appleID”
Now, Visiting the same URL gives the following result :
Hall of Fame:
Timeline :
October 30, 2021 : Reported
November 2, 2021 : Triaged
February 22, 2022 : Resolved
April 20, 2022 : Credited