Member Login
menu

Researchers Hacked Apple, And Found 55 Vulnerabilities Along The Way

'Apple'

Apple is known for its more-polished and expensive products that value privacy and security of its users. But that doesn't mean they are perfect.

The Cupertino-based company was found to have at least 55 vulnerabilities scattered in its software and online services, The vulnerabilities were discovered by a team of five security researchers, who spent three months hacking Apple's digital infrastructure.

It began back in July 2020, when security researcher Sam Curry thought that Apple offered bounty only for finding those who can find a bug related to its physical products, like the iPhone.

However, he then realized that Apple is also paying out bounties for those who can find vulnerabilities in its infrastructure.

This is detailed on Apple's bug bounty program page, that said that Apple pays out for vulnerabilities with a "significant impact to users."

Realizing this, Curry recruited a team of fellow security researchers — Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes — and began hacking Apple.

"Apple has had an interesting history working with security researchers, but it appears that their vulnerability disclosure program is a massive step in the right direction to working with hackers in securing assets and allowing those interested to find and report vulnerabilities."

The very first step the team did, was finding out which of Apple-owned infrastructure was accessible.

It was during this step that the team found that Apple owns a massive web infrastructure.

"They own the entire 17.0.0.0/8 IP range, which includes 25,000 web servers with 10,000 of them under apple.com, another 7,000 unique domains, and to top it all off, their own TLD (dot apple). Our time was primarily spent on the 17.0.0.0/8 IP range, .apple.com, and .icloud.com since that was where the interesting functionality appeared to be."

After three months spent on scanning and hacking Apple's systems with various exploits, the team found a total of 55 vulnerabilities of varying severity.

11 of them were ranked as critical, 29 as high severity, 13 as medium severity, and 2 as low severity vulnerabilities.

"During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources."
Hacking Apple
Exploiting a flaw in the password reset process associated with an application called DELMIA Apriso, a warehouse management solution, the researchers managed to authenticate themselves as global administrators to the application. (Credit: Sam Curry)

The 11 critical bugs discovered by Sam Curry and the team, are as follows:

  1. Remote Code Execution via Authorization and Authentication Bypass.
  2. Authentication Bypass via Misconfigured Permissions allows Global Administrator Access.
  3. Command Injection via Unsanitized Filename Argument.
  4. Remote Code Execution via Leaked Secret and Exposed Administrator Tool.
  5. Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications.
  6. Vertica SQL Injection via Unsanitized Input Parameter.
  7. Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account.
  8. Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account.
  9. Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources.
  10. Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking.
  11. Server Side PhantomJS Execution allows an attacker to Access Internal Resources and Retrieve AWS IAM Keys.

Among the flaws, there was one flaw below, which could have allowed hackers to hijack a user's iCloud account:

"When we first started this project we had no idea we'd spend a little bit over three months working towards it's completion. This was originally meant to be a side project that we'd work on every once in a while, but with all of the extra free time with the pandemic we each ended up putting a few hundred hours into it."

Throughout the process, Curry said that Apple's product security staff members were very responsive. The average turnaround time for critical security reports was about four hours between submission and remediation.

Most of the reported flaws were fixed within one to two business days, with some of the fixed in as little as four to six hours.

Apple doesn’t allow bounty hunters to disclose all vulnerabilities they find. However, in Curry's case, Apple did allow the team to explain some of the vulnerabilities briefly.

It was after the fix that Curry received permission from Apple's product security team to publish information in a post on Sam Curry's website, and they "are doing so at their discretion."

Apple fixed all the vulnerabilities as of October 6th, 2020. It was a day after that, on October 7th, that the team published their report.

The next day, on October 8th, the team received 32 bounty payments totaling more than $280,000 for the various vulnerabilities.

Published: 
12/10/2020