A team of security researchers spent three months hacking Apple, discovered a slew of vulnerabilities in the company’s digital infrastructure, and received bounty payments totaling more than $50,000.
The Cupertino tech giant maintains a bug bounty program that pays security researchers for found vulnerabilities. As researcher Sam Curry notes, he previously thought that Apple only paid bounties for issues affecting physical products like the iPhone.
But, in July, Curry noticed that bounties were seemingly available for web infrastructure, too. According to Apple’s bug bounty program page, the company pays out for vulnerabilities with a “significant impact to users.” Curry then recruited a team of fellow security researchers — Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes — and began scrutinizing Apple’s systems.
After three months of scanning Apple’s systems and testing various exploits, the team found a total of 55 vulnerabilities of varying severity. At least 11 were ranked as critical and 29 were of a high severity.
“During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.
The team wasn’t able to deeply disclose all of the flaws they found, but Curry did provide write-ups for some of the more interesting vulnerabilities. Disclosures include a full compromise of Apple’s Distinguished Educators Program; a cross-site scripting attack that could allow hackers to steal user iCloud data via email; and a vulnerability that may have allowed attackers to compromise Apple’s internal inventory and warehousing system.
Throughout the process, Curry said that Apple’s product security staffers were very responsive. The average turnaround time for critical security reports was about four hours between submission and remediation. Typically, flaws were fixed within one to two business days, with some of the fixed in as little as four to six hours.
As of Oct. 4, the team has received four bounty payments totaling $51,500 for some of the vulnerabilities, and expects Apple to send payment for even more critical flaws.
Curry said that they obtained permission from Apple’s product security team to publish information on the vulnerabilities and “are doing so at their discretion.”
“All of the vulnerabilities disclosed here have been fixed and re-tested. Please do not disclose information pertaining to Apple’s security without their permission,” Curry notes.
The security researchers note that they went into the project blind, since information on Apple’s bug bounty program is spotty. “We were pretty much going into unchartered [sic] territory with such a large time investment,” Curry wrote.
“Apple has had an interesting history working with security researchers, but it appears that their vulnerability disclosure program is a massive step in the right direction to working with hackers in securing assets and allowing those interested to find and report vulnerabilities,” Curry wrote.