How I placed into Apple Hall of Fame in 5 Minutes.

Abinesh M
2 min readSep 10, 2023

Hi Heckerss!!

I understand this blog is too late, but I want to share how I got 3x Hall of Fame in Apple.

Let's Start…!

Type gif

How to Find Target 🎯:

I randomly searched on the Apple Old Hall of Fame page, I got some subdomains.

Tip: Collect all the subdomains and save them into one text file 😉, Use httpx to find alive domains this will save your time.

Vulnerability :

Try all the vulnerabilities you know 🙌

Now I will explain my findings:

Vulnerability Name: Content Spoofing

Content spoofing, also known as content injection, is a type of security vulnerability that allows an attacker to manipulate the content displayed on a website or application.

Content spoofing can be a result of inadequate input validation or insufficient security controls.

Steps to reproduce:

  1. Find a targeted URL (http://abi.example.com/)
  2. Enter any text after the URL to check content spoofing
  3. I used this one please_go_to_www.evil.com
  4. This text was reflected on the page.

Example: http://abi.example.com/please_go_to_www.evil.com

Note: abi.example.com is the example domain, put your targeted domain.

Now I tried to inject HTML and XSS payloads, But unfortunately, I didn’t get anything 🥲

It's okay… 😉

Reporting Time:

I reported the vulnerability to Apple in January 2022, and they listed my Name in March 2022.

Note: Patience is more important because Apple takes long months to fix and reply.

Okay… will see in the next blog 👋🙋‍♂️.

Happy Hunting….!

Reach out to me, If you have any queries 🤝

👔 LinkedIn: Abinesh M

📱 Instagram: Abi_Hecker

--

--