Apple owns all of the 17.0.0.0/8 IP range, including 25,000 web servers with 10,000 under apple.com, 7,000 unique domains, as well as Apple’s own TLD (.apple) are part of this vital and growing infrastructure.
Curry said they spent the majority of their time on the core foundations. The core of functionality comes from the 17.0.0.0/8 IP range, .apple.com, and .icloud.com.
They extensively scanned Apple’s systems and tested various exploits and found vulnerabilities.
The team wasn’t able to disclose all of the flaws they found but Curry provided write-ups for some of the more interesting vulnerabilities in their report.
Some of the more important vulnerabilities discovered were a “full compromise of Apple’s Distinguished Educators Program; a cross-site scripting attack that could allow hackers to steal user iCloud data via email; and a vulnerability that may have allowed attackers to compromise Apple’s internal inventory and warehousing system.”
Curry emphasized that his team obtained permission from Apple’s product security team to publish information on the vulnerabilities. “All of the vulnerabilities disclosed here have been fixed and re-tested. Please do not disclose information pertaining to Apple’s security without their permission,” Curry said.
