Exposing iCloud Users’ Names, Phone Numbers, and Email Addresses
I'm Renganathan, Founder of R Protocols, a hacker-driven Cyber Security Firm. Thanked by Google, Apple, LinkedIn, More than fifty Fortune and Unicorn Startups for reporting their Security Vulnerabilites.
During security research on iCloud’s web functionalities, a misconfiguration was identified within the Notes sharing feature that exposed sensitive user metadata. Although the contents of private notes were not accessible, the system unintentionally revealed the full name, phone number, and email address of the owner of certain shared Notes.
This issue was responsibly disclosed to Apple, validated by the Apple Product Security Team, and subsequently remediated.
Step-by-Step Breakdown of the Issue
Users Involved:
User A: Owner of an iCloud Note
User B: External user accessing publicly shared Notes
A user generated a shareable iCloud Notes link in the format:
https://www.icloud.com/notes/0MJM1URPtcLj6k0s1bDIIB3BgSome of these shared Notes were publicly indexed by search engines due to user sharing configurations.
Publicly shared Notes links were discovered via google dorking such as:
site:icloud.com/notes/*
When accessing certain shared Notes, the system returned a verification prompt rather than a direct 404 or access denial.
Upon clicking the Verify button, the page displayed the email address associated with the Note’s owner along with the file name.
In some instances, the interface also returned the owner's phone number, depending on the sharing configuration.
Opening the same shared link in a private browsing session exposed the full name of the owner.
Attempts to exploit the verification flow further (e.g., modifying API requests to extract additional data) were mitigated by Apple’s backend and did not result in unauthorized access to note content.
The vulnerability was limited to the exposure of user metadata, not the notes themselves.
Technical Root Cause
The misconfiguration originated from how the iCloud Notes sharing mechanism handled identity verification for shared links. When verification was triggered for a public Note URL, the platform disclosed:
The email address associated with the Apple ID
The phone number associated with the Apple ID (in some cases)
The Apple ID display name
These details were revealed without requiring authentication and were accessible to any external user visiting the shared link.
Additionally, the public indexability of certain Notes URLs allowed search engines like Google to crawl and surface shareable iCloud Notes links, increasing the exposure surface.
Impact
The vulnerability allowed unauthorized users to:
Identify the Apple ID email address associated with a shared iCloud Note
Access the Apple ID owner’s phone number in specific cases
Retrieve the full display name of the Apple ID owner
Although the Note contents were not exposed, this metadata could be used for:
Targeted phishing
Social engineering
Identity profiling
Fix & Apple’s Response
Apple acknowledged the report and addressed the root cause by preventing public crawling of iCloud Notes share URLs and tightening the verification flow to ensure user metadata is no longer exposed.
The issue was fixed completely after acknowledgment.
Apple’s security team handled the disclosure professionally, validated the vulnerability, and credited my name, “Renganathan” in the Apple Security Hall of Fame.
Timeline
Reported: June 2, 2021
Accepted & Fix Implemented: June 16, 2021
Fully Resolved: June 2021
Hall of Fame Recognition: February 2022
