FOLLOW US

Apple Inc (NASDAQ: AAPL) rewarded $28,500 to a team of hackers who submitted a detailed report about the 55 vulnerabilities they found after hacking the tech giant's security bounty or bug bounty program.

In a blog post, one of the hackers, Sam Curry wrote that he and his fellow hackers spent three months hacking the Apple Security Bounty program.

Within the article I'd mentioned that Apple had not yet paid for all of the vulnerabilities. Right after publishing it, they went ahead and paid for 28 more of the issues making the running total $288,500: pic.twitter.com/WtOfndu298

— Sam Curry (@samwcyo) October 8, 2020

 He and Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes worked as a team from July 6 to October 6 understanding the Apple infrastructure and targeting its individual web servers that they think are more likely to have security flaws.

According to Curry, they discovered 55 vulnerabilities with 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity reports.

The security flaws that they found in the tech giant's infrasture could have "allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects," wrote Curry.

He added that the vulnerabilities could have enabled bad actors to "fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources."

Curry noted that most of the vulnerabilities they reported to Apple have been fixed as of October 6. It only takes as little as 4-6 hours to fix the problems.

Apple has a massive and complex infrastructure

Curry said they started scanning to determine what the Apple universe includes and what parts would be accessible to them. The results of their scanning were indexed in a dashboard along with HTTP status code, response body, headers, and a screenshot of the accessible web servers under the various domains owned by Apple.

Apple owns all of the 17.0.0.0/8 IP range, including 25,000 web servers with 10,000 under apple.com, 7,000 unique domains, as well as Apple’s own TLD (.apple) are part of this vital and growing infrastructure. 

Curry said they spent the majority of their time on the core foundations. The core of functionality comes from the 17.0.0.0/8 IP range, .apple.com, and .icloud.com.

They extensively scanned Apple’s systems and tested various exploits and found vulnerabilities.