Apple is known for its more-polished and expensive products that value privacy and security of its users. But that doesn't mean they are perfect.
The Cupertino-based company was found to have at least 55 vulnerabilities scattered in its software and online services, The vulnerabilities were discovered by a team of five security researchers, who spent three months hacking Apple's digital infrastructure.
It began back in July 2020, when security researcher Sam Curry thought that Apple offered bounty only for finding those who can find a bug related to its physical products, like the iPhone.
However, he then realized that Apple is also paying out bounties for those who can find vulnerabilities in its infrastructure.
This is detailed on Apple's bug bounty program page, that said that Apple pays out for vulnerabilities with a "significant impact to users."
Realizing this, Curry recruited a team of fellow security researchers — Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes — and began hacking Apple.
The very first step the team did, was finding out which of Apple-owned infrastructure was accessible.
It was during this step that the team found that Apple owns a massive web infrastructure.
After three months spent on scanning and hacking Apple's systems with various exploits, the team found a total of 55 vulnerabilities of varying severity.
11 of them were ranked as critical, 29 as high severity, 13 as medium severity, and 2 as low severity vulnerabilities.
The 11 critical bugs discovered by Sam Curry and the team, are as follows:
- Remote Code Execution via Authorization and Authentication Bypass.
- Authentication Bypass via Misconfigured Permissions allows Global Administrator Access.
- Command Injection via Unsanitized Filename Argument.
- Remote Code Execution via Leaked Secret and Exposed Administrator Tool.
- Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications.
- Vertica SQL Injection via Unsanitized Input Parameter.
- Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account.
- Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account.
- Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources.
- Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking.
- Server Side PhantomJS Execution allows an attacker to Access Internal Resources and Retrieve AWS IAM Keys.
Among the flaws, there was one flaw below, which could have allowed hackers to hijack a user's iCloud account:
Throughout the process, Curry said that Apple's product security staff members were very responsive. The average turnaround time for critical security reports was about four hours between submission and remediation.
Most of the reported flaws were fixed within one to two business days, with some of the fixed in as little as four to six hours.
Apple doesn’t allow bounty hunters to disclose all vulnerabilities they find. However, in Curry's case, Apple did allow the team to explain some of the vulnerabilities briefly.
It was after the fix that Curry received permission from Apple's product security team to publish information in a post on Sam Curry's website, and they "are doing so at their discretion."
Apple fixed all the vulnerabilities as of October 6th, 2020. It was a day after that, on October 7th, that the team published their report.
The next day, on October 8th, the team received 32 bounty payments totaling more than $280,000 for the various vulnerabilities.