Wow, what a nice chain by @zemnmez exploiting various issues in the Apple ID service. I particularly like the trick to make event.source be null for messages, wasn’t aware of this one. In the end there is even XSS on the domain, CSP isn’t preventing it.

· · Web · 0 · 0 · 0
Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.