How I found a bug in Apple within just in 5min.

Summary: I discovered a reflected cross site scripting bug in one of acquisition site of apple which is Filemaker.com

It was May 15, 2020 I was looking in Apple web server notifications.

In which a article that provides credit to people who have reported potential security issues in Apple’s web servers.I noticed here that apple is giving credit to researchers here along with the domain in which they found a bug, I was scrolling & found a acquisition domain name called “Filemaker.com” I quickly visit to see that if I can find any bug there..!

I was checking the tabs in a site where i found the event tab I click on it

www.filemaker.com/events/submission.html

now here I can create a event which has certain field to fill the event details. I quickly fill the fields with xss payload wherever it is possible to put :D. And at last I preview the form now the xss is executed here BOOM !!!! :V.

XSS executed after fill the fields with payload & click on preview!

I quickly made a report & sent to product-security@apple.com and they reply with automated email response of receiving the report in May 19, 2020.

In May 27, 2020 They fixed the issue & reply with this below email:-

Although this issue does not qualify for reward through the Apple Security Bounty program, we do provide the recognition of being listed in our security advisory when a reported issue is addressed.

I was aware about this but I was happy to be listed in their security advisory.

you can find my name in below Apple Credit page:-

#Moral:- If you didn’t found a bug in main domain look into acquisition domain.

Here is the proof of concept video file in link below:-

URL:- https://youtu.be/LQBJIzcXphI

#Bugbounty

Regards