Apple pays ethical hackers $288k for finding 55 vulnerabilities

If exploited the bugs would have provided access to Apple's infrastructure and sensitive user data

Apple has paid a group of ethical hackers $288,500 (£222,813) for finding and disclosing critical vulnerabilities in its network, some of which could have provided access to company infrastructure and iCloud data.

Since 6 July of this year, Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes have worked together as a part of Apple’s bug bounty programme. The team managed to discover a total of 55 vulnerabilities, 11 of which were of critical severity, 29 of high severity, 13 of medium severity, and two of low severity.

The 11 most critical bugs made it possible for the group to access Apple’s infrastructure and use it to potentially steal confidential information such as private emails and iCloud data.

Sam Curry said that the team “found a variety of vulnerabilities in core portions of [Apple’s] infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account" and "fully compromise an industrial control warehouse software used by Apple", as detailed in a blog covering three months of research.

He added that exploits may have also allowed hackers to "take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources".

The 11 vulnerabilities found to be critical were as follows:

  • Remote Code Execution via Authorization and Authentication Bypass
  • Authentication Bypass via Misconfigured Permissions allows Global Administrator Access
  • Command Injection via Unsanitized Filename Argument
  • Remote Code Execution via Leaked Secret and Exposed Administrator Tool
  • Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications
  • Vertica SQL Injection via Unsanitized Input Parameter
  • Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  • Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  • Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources
  • Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking
  • Server-Side PhantomJS Execution allows attacker to Access Internal Resources and Retrieve AWS IAM Keys

According to Curry, the “vast majority” of the 55 vulnerabilities have already been fixed.

“They were typically remediated within 1-2 business days (with some being fixed in as little as 4-6 hours),” he added.

Apple has so far paid the team a total of $288,500 for discovering the vulnerabilities, yet they could be awarded another quarter of a million dollars when the tech giant processes the entirety of their report.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

22 Apr 2021
What is hacktivism?
hacking

What is hacktivism?

22 Apr 2021
Geico data breach leads to stolen driver’s license numbers
data breaches

Geico data breach leads to stolen driver’s license numbers

21 Apr 2021
UK’s IoT security regulation will also include smartphones
Internet of Things (IoT)

UK’s IoT security regulation will also include smartphones

21 Apr 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
REvil threatens to release Apple’s hardware schematics
ransomware

REvil threatens to release Apple’s hardware schematics

21 Apr 2021