Bypassing iCloud Web Access Restriction

Today, I am going to share a short story about discovering a vulnerability in www.icloud.com that allowed me to bypass a security restriction using simple response manipulation.

It all started while I was browsing on my iPhone 14 Pro Max when I noticed an interesting feature called “Access iCloud Data on the Web.”

When this feature is disabled, it’s supposed to restrict access to iCloud data via web browser.

Nevertheless, my analysis revealed that it was possible to bypass this restriction and access iCloud data through icloud.com, even when web access is disabled on a trusted device.

Thanks to Apple for allowing me to share this report.

Understanding the Feature

According to Apple’s support page https://support.apple.com/en-mt/102630, this feature ensures that “For additional security and to give you more control over your personal data, you can choose to turn off web access to your iCloud data so that your data is available only on your trusted devices.”

https://support.apple.com/en-mt/102630

Exploitation:

Prerequisites

“IOS 16.2, IpadOS 16.2, MacOS 13.1” with Access iCloud Data on the Web” turned off.Browser.Burp Suite (or a similar tool) to intercept and modify response.The victim’s credentialsAccess to the victim’s iPhone if 2FA is enabled

Note: The vulnerability has been fixed.

Disable Web Access:
On your iPhone, go to Settings -> iCloud and turn off the setting Access iCloud Data on the Web.

2. Open a web browser and go to iCloud.com.

3. Log in to your account.

4. You will be prompted with the following page:

Note: At this stage, you won’t be able to access any endpoints such as:

Icloud.com/mailIcloud.com/notesIcloud.com/iclouddrive

If you try, you would simply be redirected to the same “Restriction” page.

5. Now, the interesting part. Refresh the page and intercept response of request: “setup.icloud.com/ws/1/validate”

Change “isWebAccessAllowed” from false to true.

Or simply:

After modifying the response, you will be granted with access to iCloud data on the web as follows:

MailPhotosDriveNotesRemindersNumbersKeynoteApps that had access control implemented and were not accessible:
Calendar
Contacts

Having such access allowed me to view and download files from Mail, Photos, Drive, Notes, Reminders, Numbers, and Keynote meaning that it’s not just front-end bypass.

If an attacker gets access to victim credentials, he can access iCloud data via www.icloud.com despite web access being restricted via “Manage Web Access To Your Icloud Data” on the device.

Interestingly, by changing a value in the response, access is granted to all of the mentioned apps.

In many cases, even if you steal Icloud credentials, you might need 2FA and because of this Apple lowered the severity.

· Reported on: 10/12/23

· Additional information requested by Apple: 10/13/23

· Additional information provided: 10/13/23

· I’ve noticed issue was fixed on: 12/11/23

· Final decision: 12/21/23