Apple has paid a group of ethical hackers $288,500 (£222,813) for finding and disclosing critical vulnerabilities in its network, some of which could have provided access to company infrastructure and iCloud data.
Since 6 July of this year, Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes have worked together as a part of Apple’s bug bounty programme. The team managed to discover a total of 55 vulnerabilities, 11 of which were of critical severity, 29 of high severity, 13 of medium severity, and two of low severity.
The 11 most critical bugs made it possible for the group to access Apple’s infrastructure and use it to potentially steal confidential information such as private emails and iCloud data.
Sam Curry said that the team “found a variety of vulnerabilities in core portions of [Apple’s] infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account" and "fully compromise an industrial control warehouse software used by Apple", as detailed in a blog covering three months of research.
He added that exploits may have also allowed hackers to "take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources".
The 11 vulnerabilities found to be critical were as follows:
- Remote Code Execution via Authorization and Authentication Bypass
- Authentication Bypass via Misconfigured Permissions allows Global Administrator Access
- Command Injection via Unsanitized Filename Argument
- Remote Code Execution via Leaked Secret and Exposed Administrator Tool
- Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications
- Vertica SQL Injection via Unsanitized Input Parameter
- Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
- Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
- Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources
- Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking
- Server-Side PhantomJS Execution allows attacker to Access Internal Resources and Retrieve AWS IAM Keys
According to Curry, the “vast majority” of the 55 vulnerabilities have already been fixed.
“They were typically remediated within 1-2 business days (with some being fixed in as little as 4-6 hours),” he added.
Apple has so far paid the team a total of $288,500 for discovering the vulnerabilities, yet they could be awarded another quarter of a million dollars when the tech giant processes the entirety of their report.
