Source: iMore
What you need to know
- A group of hackers spent three months hacking on Apple's Security Bounty program.
- The group found vulnerabilities in various bits of Apple's infrastructure.
- The team has already received $51,000 in bounty payouts and is expecting even more.
A group of hackers has detailed how they spent three months hacking Apple, uncovering various vulnerabilities, and cashing in on Apple's Security Bounty program in the process.
The group; Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes, tackled Apple's infrastructure high and low over the course of three months. From the report:
During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.
The group says they found 55 total vulnerabilities of varying severity, some being critical, others a mix of high, medium, and low severity. They also stated that Apple had addressed "the vast majority" of their findings, usually within one or two business days, and sometimes just a few hours.
The team was driven to capitalize on the program after realizing that Apple's Security Bounty Program extends beyond Apple's physical products to their web assets and infrastructure too. Curry writes:
This caught my attention as an interesting opportunity to investigate a new program that appeared to have a wide scope and fun functionality. At the time I had never worked on the Apple bug bounty program so I didn't really have any idea what to expect but decided why not try my luck and see what I could find.
The report goes into immense detail regarding various vulnerabilities and strategies around finding and attacking weaknesses, and from the response on Twitter, sounds like a must-read for anyone with interest in the subject.
In conclusion, the team writes as of October 4, it has received four payments totaling $51,500. Specifically:
$5,000 - Disclosing the Full Name of iCloud users via Editor Invitation on redacted $6,500 - Gopher/CRLF Semi-Blind SSRF with Access to Internal Corporate Environments $6,000 - IDOR on https://redacted/ $34,000 - Multiple eSign environments vulnerable to system memory leaks containing secrets and customer data due to public-facing actuator heapdump, env, and trace
Speaking directly to iMore, Curry said whilst the team has received payouts for the aforementioned issues, they're hoping to cash in on around 30-40 more issues that meet the criteria specified on Apple's bounty page. One of these vulnerabilities could be worth as much as $100,000.
On Apple's Security Bounty program, Curry told us:
Apple's bug bounty program does a great job encouraging responsible disclosure by actively working with well-intentioned security researchers. Programs like Apple's incentivize good actors and create a bridge between organizations and hackers.
The news and the team's work is a testament to the success of Apple's Security Bounty program in helping researchers to pin down problems in Apple's ecosystem before they become issues.
You can (and should) read the full report here.

Apple has released macOS Monterey 12.5 beta for public beta testers
Are you ready to take the next version of macOS out for a spin? Here's how to install the public beta of macOS Monterey on your computer.

Review: Is the Bowers & Wilkins Panorama 3 soundbar the one for you?
If you're in the market for a new soundbar, it's worth considering Bowers & Wilkins' latest entrant, the Panorama 3.

Watch the stunning second trailer for Apple TV+ series 'Prehistoric Planet'
Apple TV+ has today shared a second trailer for the upcoming dinosaur series 'Prehistoric Planet,' a five-night event that will feature Sir David Attenborough.

These accessories will go great with your Apple AirTags
Apple's AirTag doesn't have any hooks or adhesive for attaching to your precious items. Luckily there are plenty of accessories for that purpose, both from Apple and third parties.