Saturday, 9 December 2023

How i got $15000 Reward by Apple - Information Disclosure

                          

It's been quite long time i wrote a blog, Today i would like to disclose one of my findings in Apple which was reported via Apple bug bounty program.

While browsing through the Apple subdomains i came across a subdomain which is a tool used by Apple and it's customers.

After login to the tool and going through the application, i came across different vulnerable endpoints where changing the id (which was numeric value) led me to information disclosure (email address) such as @apple.com , @bbc.com and other customers email addresses . I was able to fetch millions of email addresses using this vulnerability.


Below are few of the screenshots where data was leaking.

 

 

Apple customer @bbc emails leaking screenshot.

 





Apple was quick in fixing these issues, they rewarded total $15000 USD .

 

 

 

 That's all for today, will disclose more writeups in future :)

Thanks

Haji