Exposing iCloud user’s Name, phone numbers, and email addresses.
2023-5-21 20:43:52 Author: infosecwriteups.com(查看原文) 阅读量:37 收藏

Renganathan

InfoSec Write-ups

Hi There,

Renganathan Here, I’m an Ethical Hacker & a Security researcher.

This writeup is shared publicly with the permission of the Apple Product Security Team.

This write-up is about a misconfiguration that I found on iCloud and how I could have accessed the iCloud user’s name, phone number, and email address.

I’ve submitted only one report to Apple till now but It was not a valid one.

After seeing one of my mentors, Hemant Patidar was awarded $$$$ for finding a vulnerability on apple id, I thought should give it a try to apple again :)

I started with iCloud this time instead of starting with apple.com and subdomain enumerations and other stuff.

iCloud dashboard

I’m not an Apple user, I didn’t know the features and functions so was manually exploring them. Then I clicked upon notes and saw something like the one below.

given attention to the URL

So there’s a link for the iCloud notes which I can share with people.

The link looked something like the one below:

https://www.icloud.com/notes/neVeRgoNNagiVEyouuP

so just like another bug hunter, I was curious to access others’ notes.

I used the below Google Dorks to enumerate all the notes.

site:icloud.com/notes/*

The notes link were crawled only because they were shared publicly, else Google can’t crawl them.

Links Enumerated

But that doesn’t stop there I need to gain access to others’ notes.

but a few of them gave me this 404 error.

404 error

But they returned with a verification requirement

verification requirement

I clicked on verify,

BOOM! (The most expected word LOL)

email id exposed

That just showed me who’s the owner of the notes by exposing the email id.

Again a few of them showed me the owner’s phone number

phone number exposed

By opening the link in the private window it showed me the name of the owner

Owner name exposed

I tried to get a copy of the verification link by modifying the API request but it was not vulnerable. So I reported this as the owner’s details were exposed, my bug was accepted, and I was credited to the apple hall of Fame.

TimeLine:

June 2, 2021 - Reported

June 16, 2021 - Accepted & patch was implemented against crawling the links.

- Completely fixed.

February, 2022 - got listed in their hall of fame.

Patched

Thanks for reading :)
Stay Safe.

https://www.instagram.com/renganathanofficial/

https://twitter.com/IamRenganathan

https://www.linkedin.com/in/renganathanofficial


文章来源: https://infosecwriteups.com/exposing-icloud-users-name-phone-numbers-and-email-addresses-d1f4a3786092?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh