A stored cross-site scripting (XSS) vulnerability in the iCloud domain has reportedly been patched by Apple, per a blog post shared by ZDNet.
The post says that bug bounty hunter and penetration tester Vishal Bharad claims to have discovered the security flaw, which is a stored XSS issue in icloud.com. According to Bharad, the XSS flaw in icloud.com was found in the Page/Keynotes features of Apple’s iCloud domain.
ZDNet says it’s reached out to Apple for comment and “will update when we hear back.”
Speaking of vulnerabilities, MacRumors reported on the second known piece of malware compiled to run natively on M1 Macs. Dubbed “Silver Sparrow,” the malicious package is said to leverage the macOS Installer JavaScript API [application programming interfaces] to execute suspicious commands.
After observing the malware for over a week, however, security firm Red Canary did not observe any final payload, so the exact threat to users remains a mystery. Apple has since informed MacRumors that it has revoked the certificates of the developer accounts used to sign the packages, preventing additional Macs from being infected. Apple also reiterated that Red Canary found no evidence to suggest the malware has delivered a malicious payload to Macs that have already been infected.
