Independent security researcher Mirza Burhan Baig of blackbitz.net has identified a DOM-based cross-site scripting (XSS) vulnerability on the “Find Locations” subdomain of Apple’s official website (locate.apple.com).
Apple has addressed the issue and officially credited
the expert for his findings.
The researcher has explained that the DOM-based XSS vulnerability could have been triggered on all the approximately 85 webpages dedicated to finding sales, service, training and certification, and consulting locations around the world.
The expert says the vulnerability, which he identified and reported back in December, could have been used to hijack user sessions and possibly even accounts.
You can check out the proof-of-concept screenshot sent by the researcher to Softpedia.
Back in December 2012, Mirza Burhan Baig identified a similar DOM-based XSS vulnerability on Microsoft’s Surface website