Ethical hackers so far have made nearly $300K in pay-outs from the Apple ‘bug-bounty program’ for finding 55 bugs, 11 of them critical, during a 3-month hack.
A group of ethical hackers opened Apple’s infrastructure & systems &, over 3 months, discovered 55 vulnerabilities, some of which would have given attackers complete control over customer & employee applications.
A critical, ‘wormable’ iCloud account takeover bug would allow attackers to automatically steal all of a victim’s documents, photos, videos & more.
The discovery. by hackers Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb & Tanner Barnes found key weaknesses in the company’s “huge” infrastructure, while it also made the team nearly $300,000 to date in rewards for their work, Curry wrote in an extensive blog post detailing the team’s findings.
The flaws found in core portions of Apple’s infrastructure includes ones that would have allowed an attacker to:
“fully compromise both customer & employee applications; launch a worm capable of automatically taking over a victim’s iCloud account; retrieve source code for internal Apple projects; fully compromise an industrial control warehouse software used by Apple; & take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources,” he wrote.
Of the 55 vulnerabilities, 11 were rated with critical severity, 29 with high severity, 13 with medium severity & 2 with low severity. Researchers rated the bugs based on the CvSS vulnerability-severity rating, and “our understanding of the business-related impact,” Curry explained.
This ‘wormable’ iCloud bug is a cross-site scripting (XSS) issue, says the writeup. iCloud is an automatic storage mechanism for photos, videos, documents, & app related data for Apple products. Additionally, this platform provides services like Mail and Find my iPhone.
“The mail service is a full email platform where users can send & receive emails similar to Gmail and Yahoo,” explained Curry. “Additionally, there is a mail app on both iOS & Mac which is installed by default on the products. The mail service is hosted on www.icloud.com alongside all of the other services like file & document storage.”
He further added, “This meant, from an attackers’ perspective, that any cross-site scripting vulnerability would allow an attacker to retrieve whatever information they wanted to from the iCloud service.”
He found such a bug after hunting around for some time, “When you had 2 style tags within the email, the contents of the style tags would be concentrated together into 1 style tag,” he commented.
Proof of Concept
“This meant that if we could get ‘</sty’ into the first tag & ‘le>’ into the 2nd tag, it would be possible to trick the application into thinking our tag was still open when it really wasn’t.”
The team was able to create a ‘proof of concept’ that demonstrated code that steals all of the victim’s personal iCloud information (photos, calendar information & documents), then forwards this to all of their contacts.
Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb, commented that the success of the bounty-hunters should be a ‘wake-up call’.
“Unfortunately, there is no warranty that these vulnerabilities have not been exploited by sophisticated threat actors to silently compromise VIP victims,” he outlined in an email. “Worse, likely more similar vulnerabilities exist undiscovered & may be known to hacking groups that make a lot of money by their exploitation.
Modern web applications open the door to corporate networks with the most critical information, & their breach can be fatal for a company.”
Apple Response and $300K
Apple responded quickly to the bug reports, fixing the majority of them by the time the post went live, with typical remediation upon learning of the flaws occurring within 1-2 business days, & response to some critical vulnerabilities within as little as 4-6 hours, he informed.
“Overall, Apple was very responsive to our reports,” Curry commented, adding that, “as of now, Oct. 8th, we have received 32 payments totalling $288,500 for various vulnerabilities.” That no. could go higher as Apple tends to pay in “batches,” so the hackers hope for more payments in the coming months, he explained further.
Apple’s public bug-bounty program – in which all interested parties can participate – is a fairly recent thing.
The company opened up a historically private program to the public last Dec. after years of criticism from developers, who argued that the company needed to be more ‘transparent’ about flaws in its hardware & software. It also included a $1 million maximum pay-out to ‘sweeten’ this deal.
Team of Hackers
Curry, who styles himself a ‘full-time bug-bounty hunter’ further noted he was inspired to assemble the team of hackers to look into Apple’s infrastructure after learning on Twitter of a researcher’s award of $100,000 from Apple, for discovering an authentication bypass that allowed for arbitrary access any Apple customer account.
“This was surprising to me, as I previously understood that Apple’s bug bounty program only awarded security vulnerabilities affecting their physical products & did not pay-out for issues affecting their web assets,” he further wrote.
When he discovered that Apple was willing to pay for vulnerabilities “with significant impact to users” regardless of whether or not the asset was explicitly listed in scope, it was ‘game on’, he noted .
“This caught my attention as an interesting opportunity to investigate a new program which appeared to have a wide scope and fun functionality,” Curry wrote. He invited hackers he had worked with previously onto the project, even though everyone knew there was no guarantee of pay-outs for their efforts.
The critical vulnerabilities the team discovered are all of these: Full Compromise of Apple Distinguished Educators Program via Authentication and Authorization Bypass; Full Compromise of DELMIA Apriso Application via Authentication Bypass; Wormable Stored Cross-Site Scripting Vulnerabilities Allow Attacker to Steal iCloud Data through a Modified Email; Command Injection in Author’s ePublisher; Full Response SSRF on iCloud allows Attacker to Retrieve Apple Source Code; Nova Admin Debug Panel Access via REST Error Leak; AWS Secret Keys via PhantomJS iTune Banners and Book Title XSS; Heap Dump on Apple eSign Allows Attacker to Compromise Various External Employee Management Tools; XML External Entity processing to Blind SSRF on Java Management API; GBI Vertica SQL Injection and Exposed GSF API; Various IDOR Vulnerabilities; & Various Blind XSS Vulnerabilities.
The hackers received permission from the Apple security team to publish details on the critical bugs, all of which have been fixed & re-tested, Curry explained.
These findings are a very alarming reminder that even the largest tech companies considerably underestimate their web application security, suggested Kolochenko.
Application Security Program
“Most organisations merely invest into some automated scanning tools & recurrent penetration testing but without implementing a comprehensive application security program,” he observed.
“Such a program shall include regular secure coding trainings for software developers, introducing security controls aimed to detect vulnerabilities at the early stage of development – the so-called ‘shift-left’ approach, & providing strict security guidelines for software developed by 3rd-parties.
Finally, modern software shall incorporate privacy by design to enable seamless compliance with regulations like CCPA or GDRP.”