TL;DR - Follow Garyvee on Twitter, and you’ll probably find XSS.
When you work a desk job, sometimes you need inspiration to ‘crush it’ and Gary Vaynerchuk is my go-to hero when it comes to trying to be more productive and push forward in my career, plus he had Weshly Arms Legendary as his intro for DailyVee, which I now listen to all the time. By procrastinating more on Twitter, I saw that Gary was going to be in Planet Of The Apps, and he recommended that everyone should check out the website. When you visit the site, it looks pretty average, and it is, a very basic promotional website with a trailer embedded.
Like every normal person, whenever visiting a website, I always view the source; now by looking at the source, you could tell directly something funky is going on, check out the source if you want to figure it out on your own.
When you look at the source, you see the following iFrame:
<iframe allowfullscreen='' frameborder='0' height='100%' scrolling='no' src='https://embed.apple.media/public/assets/player.html?id=59a0662a064b5400127610ba&src=https://embed.apple.media/public/embeds/59a0662a064b5400127610ba.json'
It’s very strange to load a resource in an iFrame and then include the same origin with a JSON object through a .json resource.
That didn’t work, and it’s generally not that easy, so next I looked to see what was being rendered in the .json file, and as you could see it was metadata for rendering the video.
And finally, after manipulating it enough, I got my XSS in the “title” field.
So I had about 15 minutes until I was joining a friend to watch a film, so I wrote up a quick and dirty email and fired it over to firstname.lastname@example.org
Something I learnt from this, h/t Alex you don’t always have to excessively load from an external resource.
You can use Data URIs to load resources in the same way.
The format, of DataURIs is data: mediatype ; base64 , data,
So in this case, you can include a Data URI of media/type application/json, with the base64 encoded data which can be interpreted as https://embed.apple.media/public/assets/player.html?id=58a25450bd109a0012ecb3a5&partner=Apple&src=data:application/json;base64,DATA.
So if you have a JSON object, you can simply base64 encode it and include it in a Data URI, and your payload becomes this, which is pretty neat.
The fix appears to be that it’s only loading resources from whitelisted domains. I looked at trying to include Data URIs, and load from third-party resources over HTTP and HTTPS, and used general bypass techniques to load a third-party domain, but it appears sufficent.
The one thing that’s no-longer required is that the IDs don’t need to match, so you can just include https://embed.apple.media/public/assets/player.html?id=&src=https://embed.apple.media/public/embeds/59a0662a064b5400127610ba.json and it will still render.
Let me know if you find another way to load another resource, after you report it and they resolve it responsibly ofcourse :).
To give Apple credit, whilst it did take a long time to resolve, embed.apple.media isn’t exactly a high priority domain, so I reported the issue in May 2017 it was resolved in January 2018, the Apple team did respond in a timely manner to all my emails.
- Initial email reporting issue May 25 2017
- Response from Apple May 26 2017
- Request on status June 12 2017
- Response from Apple June 12 2017
- Request on status October 11 2017
- Response from Apple October 12 2017
- Request on status December 12 2017
- Response from Apple December 15 2017
- Request on status February 05 2018
- Response from Apple confirming resolved February 05 2018
- Hall Of Fame 🎉