Ethical hackers have discovered 55 bugs in Apple services, which exposed through its bug-bounty program, earning nearly $300k in payouts, during a 3-month hack

 

The flaws (11 critical, 29 of high-risk, 13 of medium-risk, and 2 of low-risk) that demonstrated key weaknesses in the company’s infrastructure, have been discovered by ethical hackers Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes

 

All details have been explained in a blog post that Curry wrote about the team’s findings.

 

Details about the Bugs Found in Apple Services

 

The found flaws could have given attackers the capacity to “fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.”

 

In short terms: they almost made the hijack of user’s iCloud accounts possible. 

 

 

This is a big issue, considering that such accounts include photos, videos, documents, and more personal information. Even more, after knowing that this same exploit could be repeated to these account owners’ contacts.

 

These are the critical bugs pointed out by Sam and the team:

 

  1. Remote Code Execution via Authorization and Authentication Bypass
  2. Authentication Bypass via Misconfigured Permissions allows Global Administrator Access
  3. Command Injection via Unsanitized Filename Argument
  4. Remote Code Execution via Leaked Secret and Exposed Administrator Tool
  5. Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications
  6. Vertica SQL Injection via Unsanitized Input Parameter
  7. Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  8. Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  9. Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources
  10. Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking
  11. Server Side PhantomJS Execution allows an attacker to Access Internal Resources and Retrieve AWS IAM Keys

 

The Apple Distinguished Educators site was one of the affected domains. 

 

With the help of a default password (###INvALID#%!3), it made possible to bypass the authentication, therefore, letting attackers into the administrator code with ease, to execute code.  

 

A similar vulnerability was found in Apple’s book writing and publishing platform: Apple Books for Authors. This time, it was the ePub file upload tool that could have been manipulated through HTTP requests

 

For what reason? You may ask. To run commands on the “authors.apple.com” server.

 

Last, but not least, another of the critical bugs found were related to cross-site scripting (XSS) vulnerability in the domain “www.icloud.com” 

 

It worked by targeting icloud.com or mac.com with a crafted email that would let attackers steal photos and contacts once opened in a browser via Apple mail service. The works part is that this wormable vulnerability could propagate by sending to victim’s contact addresses.

 

It is alarming to think that even the largest tech companies present these failures on their web application security. Fortunately for them and ethical hackers, they and more companies are open to working together to improve all layers.

 

In this case, the Apple security team let hackers publish details of the fixed and re-tested bug – Curry said. He also noted on the blog post:

 

“When we first started this project we had no idea we’d spend a little bit over three months working towards its completion.

 

This was originally meant to be a side project that we’d work on every once in a while, but with all of the extra free time with the pandemic we each ended up putting a few hundred hours into it.”

 

After the bugs disclose, the iPhone maker patched them within 2 business days. They also fixed smaller ones after 4-6 hours of the first warning. 

 

Are you an ethical hacker or cybersecurity expert? A public bug-bounty program like this one could be of interest to you. They (Apple) opened this one last December after many argues made by Developers about their “lack of transparency” on hardware and software flaws.

 

But if you’re a business owner, then this would be truly valuable to you.

 

MyITGuy team of cybersecurity experts is ready to attend to any questions or requests regarding the protection of your assets. Aren’t you tired of living scared?