Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researchers Get Big Bounties From Apple For Critical Vulnerabilities

A team of researchers has received hundreds of thousands of dollars in bug bounties from Apple for reporting 55 vulnerabilities, including ones that exposed source code, employee and customer apps, warehouse software, and iCloud accounts.

A team of researchers has received hundreds of thousands of dollars in bug bounties from Apple for reporting 55 vulnerabilities, including ones that exposed source code, employee and customer apps, warehouse software, and iCloud accounts.

Researchers Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes decided in early July to take part in Apple’s bug bounty program and attempt to find as many vulnerabilities as possible in the tech giant’s systems and services.

Between July 6 and October 6, they discovered and reported a total of 55 issues, including 11 rated critical and 29 rated high severity. To date, Apple made 32 payments to the researchers totaling $288,500, but they expect to receive more for their findings in the coming months.

The researchers said in a blog published this week that a vast majority of the vulnerabilities they reported to Apple have been patched. The company fixed some of the more serious issues within a few hours.

With Apple’s permission, the white hat hackers disclosed the details of a dozen interesting vulnerabilities they found during the three-month project.

For example, they found a way to bypass authentication and authorization on the Apple Distinguished Educators website, which ultimately could have allowed an attacker to execute arbitrary commands on an Apple web server, access an internal user account management service, and access “the majority of Apple’s internal network.”

They also analyzed a third-party warehouse management solution used by Apple and discovered vulnerabilities that could have been exploited to obtain highly sensitive information or cause significant disruption.

Advertisement. Scroll to continue reading.

In addition, they found stored cross-site scripting (XSS) flaws in the iCloud platform, which could have been exploited to execute arbitrary code in a user’s browser or create an email-based worm that could silently modify or steal information from iCloud accounts, including photos and videos.

Also related to iCloud, there was a server-side request forgery (SSRF) bug that could have been exploited to gain access to some Apple source code and breach Apple’s internal network.

Actually, there were several vulnerabilities that could have been exploited to gain access to Apple’s internal network and execute arbitrary commands on some of the company’s web servers.

The researchers also reported finding secret keys that could have allowed an attacker to obtain data from Apple’s internal AWS environment, IDOR flaws that could have been leveraged to obtain or modify data, and XSS vulnerabilities that may have provided access to sensitive user data.

“Overall, Apple was very responsive to our reports. The turn around for our more critical reports was only four hours between time of submission and time of remediation,” Curry explained.

“Since no-one really knew much about their bug bounty program, we were pretty much going into unchartered territory with such a large time investment. Apple has had an interesting history working with security researchers, but it appears that their vulnerability disclosure program is a massive step in the right direction to working with hackers in securing assets and allowing those interested to find and report vulnerabilities,” he added.

Related: Apple Offers Hackable iPhones to Security Researchers

Related: Researcher Claims Apple Paid $100,000 for ‘Sign in With Apple’ Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.

Register

Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.