The following is a writeup of a cross-site scripting (XSS) vulnerability in a confidential Apple forum, which would allow a malicious actor to execute arbitrary Javascript in the context of a signed-in user’s browser.
Background: XSS vulnerabilities
Cross-site scripting is a web security vulnerability which allows malicious actors to inject scripts into web content accessed by other users. This can lead to a variety of malicious activities - such as data exfiltration, session hijacking, and defacement.
Originally coined in 2000 by Microsoft employees referring to loading third-party scripts, the term cross-site scripting has been extended to refer to a series of different code injection techniques.
Several different types of XSS vulnerabilities include:
- Stored (persistent) XSS in which a malicious script is stored on a server - such as in a database - and then executed on an end users’ device when accessing the page
- Reflected (non-persistent) XSS in which a malicious script is “reflected” off a web server, such as being included in a query parameter which is then executed on an end users’ device
- DOM-based XSS in which client-side code unsafely manipulates the DOM, such as passing user-controlled data to
eval or innerHTML
The vulnerability
Apple has a confidential forum which external users can be invited to. This forum is built using Ruby on Rails and supports BBCodes for post formatting.
One of the BBCodes that is supported is the url code. As illustrated in this page here, this BBCode can be vulnerable to Stored XSS injection via the javascript: URL scheme. In this case, the forum allowed url codes with this scheme.
For example, a forum post could be created with the following:
[url=javascript:alert('XSS')]Click here[/url]
When another user clicks on this link, an alert with the text “XSS” would be shown in their browser.
As mentioned in the above linked blog post, this code can be obfuscated to hide it’s intentions from end users too. For example, this has the same effect as the above:
[url=javascript:eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))]Click here[/url]
Since any arbitrary JavaScript can be executed here, data exfiltration (such as data/cookie stealing) was possible instead of simply showing an alert.
This vulnerability was resolved by a backend change which now prohibits the usage of javascript: URL schemes in url BBCodes. As mentioned in the HTML specification, one method of mitigating an issue like this is to employ a Content Security Policy, however as of writing there is no Content Security Policy applied to this forum either via the Content-Security-Policy header or meta tag.
An acknowledgement for this report was included in the April 2024 section of the Apple web server security acknowledgements page.
Timeline
- 2020-10-27: Initial disclosure
- 2020-10-27: Acknowledgement
- 2023-12-28: Follow up
- 2024-01-08: Acknowledgement and confirmation a fix is being worked on
- 2024-04-05: Notice that fix is deployed and ask for confirmation
- 2024-04-06: Confirm no longer able to reproduce
- 2024-04-17: Bounty awarded
