Apple bug bounty program: hackers rewarded $288,500 for reporting 55 vulnerabilities

671
SHARE

Apple Inc (NASDAQ: AAPL) rewarded $28,500 to a team of hackers who submitted a detailed report about the 55 vulnerabilities they found after hacking the tech giant’s security bounty or bug bounty program.

In a blog post, one of the hackers, Sam Curry wrote that he and his fellow hackers spent three months hacking the Apple Security Bounty program.

 He and Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes worked as a team from July 6 to October 6 understanding the Apple infrastructure and targeting its individual web servers that they think are more likely to have security flaws.

According to Curry, they discovered 55 vulnerabilities with 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity reports.

The security flaws that they found in the tech giant’s infrasture could have “allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects,” wrote Curry.

He added that the vulnerabilities could have enabled bad actors to “fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.”

Curry noted that most of the vulnerabilities they reported to Apple have been fixed as of October 6. It only takes as little as 4-6 hours to fix the problems.

Apple has a massive and complex infrastructure

Curry said they started scanning to determine what the Apple universe includes and what parts would be accessible to them. The results of their scanning were indexed in a dashboard along with HTTP status code, response body, headers, and a screenshot of the accessible web servers under the various domains owned by Apple.

Apple owns all of the 17.0.0.0/8 IP range, including 25,000 web servers with 10,000 under apple.com, 7,000 unique domains, as well as Apple’s own TLD (.apple) are part of this vital and growing infrastructure. 

Curry said they spent the majority of their time on the core foundations. The core of functionality comes from the 17.0.0.0/8 IP range, .apple.com, and .icloud.com.

They extensively scanned Apple’s systems and tested various exploits and found vulnerabilities. 

The team wasn’t able to disclose all of the flaws they found but Curry provided write-ups for some of the more interesting vulnerabilities in their report.

Some of the more important vulnerabilities discovered were a “full compromise of Apple’s Distinguished Educators Program; a cross-site scripting attack that could allow hackers to steal user iCloud data via email; and a vulnerability that may have allowed attackers to compromise Apple’s internal inventory and warehousing system.”

Curry emphasized that his team obtained permission from Apple’s product security team to publish information on the vulnerabilities. “All of the vulnerabilities disclosed here have been fixed and re-tested. Please do not disclose information pertaining to Apple’s security without their permission,” Curry said.

he also noted, “Apple has had an interesting history working with security researchers, but it appears that their vulnerability disclosure program is a massive step in the right direction to working with hackers in securing assets and allowing those interested to find and report vulnerabilities.”

Recently Apple’s relationships with its users and developers have come into question.

The Apple bug bounty program

Apple’s Developer Program is where developers use the company’s architecture to create their own apps.

The tech had long-maintained an invitation-based bug bounty program for selected security researchers looking for iOS security bugs. Originally, it only paid bounties for issues affecting physical products like the iPad or the iPhone

In December 2019, the company launched the Apple Security Bounty program as part of its commitment to ensuring that all of its infrastructure, products, and services are secure. Apple encouraged its existing developers, outside cyber researchers, and hackers to report security flaws and in return will give them rewards. 

Under the revamped bug bounty program, any security researcher who finds security flaws in iOS, macOS, tvOS, watchOS, or iCloud becomes eligible to receive cash payouts with the disclosure of bugs and vulnerabilities.

—————————————-

Have a story you want USA Herald to cover? Submit a tip here and if we think it’s newsworthy, we’ll follow up on it.

Want a guaranteed coverage? We also offer contract journalism here. We practice journalism ethics and standards. We strive to present news stories with accuracy, fairness, impartiality, integrity, truthfulness, and public accountability.

Want to contribute a story? We also accept article submissions — check out our writer’s guidelines here.