Security Researchers Spent Three Months Hacking Apple, Earned $51,500 in Bounty

Apple has awarded a bounty of $51,500 to a team of security researchers for unearthing vulnerabilities in the company’s infrastructure. The team spent three months hacking Apple and found several vulnerabilities that can affect its digital infrastructure.

Apple offers a bounty for security researchers who find a bug. Initially, the security researchers thought that Apple offered bounty only for finding a bug related to products like the iPhone. However, they soon realized that Apple is paying out a bounty for vulnerabilities in its infrastructure. Early this year, the company paid out $100k in bug bounty for discovering Zero-day in Sign in with Apple.

Soon enough, the security researcher checked out Apple’s page about the bug bounty program. Apple said it was willing to pay for vulnerabilities that had a “significant impact on users.” In other words, the company pays bounty even if the vulnerability is not listed in the scope and yet has a significant impact on users. The security researcher teamed up with other hackers and started working together.

The first step was finding out Apple-owned infrastructure that was accessible. They figured out Apple owns a massive web infrastructure that includes 25,000 web servers. Three months later, the security researchers team consisting of Brett Buerhaus, Ben Sadeghipour, Tanner Barnes, and Samuel Erb tested various exploits. They found 55 vulnerabilities, out of which 28 were of high severity, and 11 were labeled critical.

During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.

Fixing Security Vulnerabilities

Thankfully Apple fixed all the vulnerabilities as of October 6th, 2020. It took 1-3 days for fixing some bugs, while others were fixed in 4-5 hours. As a policy, Apple doesn’t allow the researchers to disclose all the vulnerabilities. However, they did let researchers to explain some of the vulnerabilities briefly. Security researchers detailed the full compromise of Apple’s Distinguished Educators program; another vulnerability showed how hackers could access user iCloud data via email. One of the vulnerability allowed hackers access to Apple’s internal inventory.

Apple issues payments in batches, and so far, it has paid out $51,500 for vulnerability. The company is likely to pay more for the other vulnerabilities in the “following months.”

[via SamCurry]