Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researchers Get Big Bounties From Apple For Critical Vulnerabilities

A team of researchers has received hundreds of thousands of dollars in bug bounties from Apple for reporting 55 vulnerabilities, including ones that exposed source code, employee and customer apps, warehouse software, and iCloud accounts.

A team of researchers has received hundreds of thousands of dollars in bug bounties from Apple for reporting 55 vulnerabilities, including ones that exposed source code, employee and customer apps, warehouse software, and iCloud accounts.

Researchers Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes decided in early July to take part in Apple’s bug bounty program and attempt to find as many vulnerabilities as possible in the tech giant’s systems and services.

Between July 6 and October 6, they discovered and reported a total of 55 issues, including 11 rated critical and 29 rated high severity. To date, Apple made 32 payments to the researchers totaling $288,500, but they expect to receive more for their findings in the coming months.

The researchers said in a blog published this week that a vast majority of the vulnerabilities they reported to Apple have been patched. The company fixed some of the more serious issues within a few hours.

With Apple’s permission, the white hat hackers disclosed the details of a dozen interesting vulnerabilities they found during the three-month project.

For example, they found a way to bypass authentication and authorization on the Apple Distinguished Educators website, which ultimately could have allowed an attacker to execute arbitrary commands on an Apple web server, access an internal user account management service, and access “the majority of Apple’s internal network.”

They also analyzed a third-party warehouse management solution used by Apple and discovered vulnerabilities that could have been exploited to obtain highly sensitive information or cause significant disruption.

In addition, they found stored cross-site scripting (XSS) flaws in the iCloud platform, which could have been exploited to execute arbitrary code in a user’s browser or create an email-based worm that could silently modify or steal information from iCloud accounts, including photos and videos.

Advertisement. Scroll to continue reading.

Also related to iCloud, there was a server-side request forgery (SSRF) bug that could have been exploited to gain access to some Apple source code and breach Apple’s internal network.

Actually, there were several vulnerabilities that could have been exploited to gain access to Apple’s internal network and execute arbitrary commands on some of the company’s web servers.

The researchers also reported finding secret keys that could have allowed an attacker to obtain data from Apple’s internal AWS environment, IDOR flaws that could have been leveraged to obtain or modify data, and XSS vulnerabilities that may have provided access to sensitive user data.

“Overall, Apple was very responsive to our reports. The turn around for our more critical reports was only four hours between time of submission and time of remediation,” Curry explained.

“Since no-one really knew much about their bug bounty program, we were pretty much going into unchartered territory with such a large time investment. Apple has had an interesting history working with security researchers, but it appears that their vulnerability disclosure program is a massive step in the right direction to working with hackers in securing assets and allowing those interested to find and report vulnerabilities,” he added.

Related: Apple Offers Hackable iPhones to Security Researchers

Related: Researcher Claims Apple Paid $100,000 for ‘Sign in With Apple’ Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.