What you need to know
- A group of hackers spent three months hacking on Apple's Security Bounty program.
- The group found vulnerabilities in various bits of Apple's infrastructure.
- The team has already received $51,000 in bounty payouts and is expecting even more.
A group of hackers has detailed how they spent three months hacking Apple, uncovering various vulnerabilities, and cashing in on Apple's Security Bounty program in the process.
The group; Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes, tackled Apple's infrastructure high and low over the course of three months. From the report:
During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.
The group says they found 55 total vulnerabilities of varying severity, some being critical, others a mix of high, medium, and low severity. They also stated that Apple had addressed "the vast majority" of their findings, usually within one or two business days, and sometimes just a few hours.
The team was driven to capitalize on the program after realizing that Apple's Security Bounty Program extends beyond Apple's physical products to their web assets and infrastructure too. Curry writes:
This caught my attention as an interesting opportunity to investigate a new program that appeared to have a wide scope and fun functionality. At the time I had never worked on the Apple bug bounty program so I didn't really have any idea what to expect but decided why not try my luck and see what I could find.
The report goes into immense detail regarding various vulnerabilities and strategies around finding and attacking weaknesses, and from the response on Twitter, sounds like a must-read for anyone with interest in the subject.
In conclusion, the team writes as of October 4, it has received four payments totaling $51,500. Specifically:
$5,000 - Disclosing the Full Name of iCloud users via Editor Invitation on redacted $6,500 - Gopher/CRLF Semi-Blind SSRF with Access to Internal Corporate Environments $6,000 - IDOR on https://redacted/ $34,000 - Multiple eSign environments vulnerable to system memory leaks containing secrets and customer data due to public-facing actuator heapdump, env, and trace
Speaking directly to iMore, Curry said whilst the team has received payouts for the aforementioned issues, they're hoping to cash in on around 30-40 more issues that meet the criteria specified on Apple's bounty page. One of these vulnerabilities could be worth as much as $100,000.
On Apple's Security Bounty program, Curry told us:
Apple's bug bounty program does a great job encouraging responsible disclosure by actively working with well-intentioned security researchers. Programs like Apple's incentivize good actors and create a bridge between organizations and hackers.
The news and the team's work is a testament to the success of Apple's Security Bounty program in helping researchers to pin down problems in Apple's ecosystem before they become issues.
You can (and should) read the full report here.