Apple » Critical gap in iWork in the iCloud: Apple pays out a reward
The vulnerability had the potential to spread quickly via manipulated iWork documents.
Apple has had a potentially serious security issue in the past. In the present case, however, this was not in a software or operating system version, but in the iCloud-Website.
Specifically, it was possible for an attacker to exploit the vulnerability through manipulated Pages or Keynote documents; an XSS vulnerability that was placed in the name field of a file was exploited. As a result, further documents with a harmful payload could have been manipulated as soon as the user shares his documents with other users. If he saves it again after a change has been made and for whatever reason goes into version management to view earlier versions of his document, further documents can be infected.
Apple has now fixed the error
The vulnerability was discovered by the security researcher Vishal Bharad, who had already informed Apple of this in August and reported on the problem in a blog post. In the end it should be worth it for him: Apple paid the expert $ 5,000 finder’s fee.
The vulnerability has been eliminated in the meantime, this was done on the Apple server side, no updates were necessary for this.
Apple, like most tech companies, pays some good money to discover and discreetly report security problems.
The n follow us on Twitter or become a fan on Facebook. You can of course download our iPhone and iPad app with push notifications here for free.
The n visit our forum!