Pleasant Experience with Apple's Security Contact

by Nitesh Dhanjani

A few days ago, April 24 2007 to be exact, I performed a search on apple.com and out of curiosity, performed another search with HTML characters to see if they would be echoed back into the HTML. In other words, I was trying to see if apple.com's search feature was susceptible to XSS (Cross Site Scripting). I found one attack vector and immediately alerted product-security@apple.com. A XSS issue on apple.com is of significant risk because it can be exploited by attackers to steal data from users that are signed on to apple.com.

On April 25, 2007, I received a thank-you email from Apple letting me know that they were investigating the issue. The email also stated: "Because of the potentially sensitive nature of security vulnerabilities, we ask that this information remain between you and Apple while we investigate it further" and included a case number.