A few days ago, April 24 2007 to be exact, I performed a search on apple.com and out of curiosity, performed another search with HTML characters to see if they would be echoed back into the HTML. In other words, I was trying to see if apple.com’s search feature was susceptible to XSS (Cross Site Scripting). I found one attack vector and immediately alerted firstname.lastname@example.org. A XSS issue on apple.com is of significant risk because it can be exploited by attackers to steal data from users that are signed on to apple.com.
On April 25, 2007, I received a thank-you email from Apple letting me know that they were investigating the issue. The email also stated: “Because of the potentially sensitive nature of security vulnerabilities, we ask that this information remain between you and Apple while we investigate it further” and included a case number.
On April 27, 2007, I received another email from Apple letting me know that the XSS vulnerability had been fixed. They asked me for permission to acknowledge me for alerting them of the issue at http://docs.info.apple.com/article.html?artnum=302530.
[NOTE: When I discovered the XSS issue, I noticed there were other components of of apple.com that contained symptoms of bad design (in terms of security), so I won’t be surprised if apple.com is vulnerable to other attack vectors. If I were responsible for security at Apple, I would initiate a source code security analysis of the apple.com web application immediately.]
I want to publicly applaud Apple for handling this in a prompt and courteous way. Having reported vulnerabilities to various companies in the past, I have to say that my personal experience with Apple was quite refreshing.