Pleasant Experience with Apple's Security Contact

by Nitesh Dhanjani

A few days ago, April 24 2007 to be exact, I performed a search on and out of curiosity, performed another search with HTML characters to see if they would be echoed back into the HTML. In other words, I was trying to see if's search feature was susceptible to XSS (Cross Site Scripting). I found one attack vector and immediately alerted A XSS issue on is of significant risk because it can be exploited by attackers to steal data from users that are signed on to

On April 25, 2007, I received a thank-you email from Apple letting me know that they were investigating the issue. The email also stated: "Because of the potentially sensitive nature of security vulnerabilities, we ask that this information remain between you and Apple while we investigate it further" and included a case number.