How I got Apple Hall Of Fame !

shubhdeep
3 min readApr 23, 2022

--

Introduction :

When a web application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain

How did I find this ?

  1. Subdomain Enumeration
  2. Probing for Live Assets
  3. Active & Passive reconnaissance

During the third phase, while performing passive reconnaissance. A URL catches my attention.

Tool Used : https://github.com/lc/gau

Passive recon — gau

URL : https://activate.apple.com/success?deviceType=TV&appleId=donmac%40me.com

When I tried opening this URL, I got the following results. At that moment, I realized that it might be vulnerable to text injection.

Response — activate.apple.com

When I supplied content via parameter “appleId” then it was reflected back in the response. The reflection was so beautiful & capable enough to make a victim believe that the modified page is real under the context of the trusted domain

URL : https://activate.apple.com/success?deviceType=TV&appleId={Vulnerable to text injection}

Modified Page — Text injection

Since It was more beautiful than other scenarios of text injection. I quickly made a detailed report and submitted it to apple for review. Guess what ? They accepted the report and made a fix.

Asked for details

How they made a fix ?

  1. Before reporting the issue, When I analyzed source code of the webpage.
  2. I came across a JavaScript file :
  3. https://activate.apple.com/success.4d4adb99f76951f234a1.js
  4. After the fix, they removed the parameter “appleID
Before vs After

Now, Visiting the same URL gives the following result :

Response

Hall of Fame:

Hall of Fame

Timeline :

October 30, 2021 : Reported

November 2, 2021 : Triaged

February 22, 2022 : Resolved

April 20, 2022 : Credited

--

--