Bug bounty hunters receive impressive security reward payout from tech giant

A group of bug bounty hunters discovered 55 vulnerabilities in Apple's infrastructure

A team of researchers spent three months hacking Apple’s web domain, discovering 55 vulnerabilities and earning a payout of more than $288,000.

The group – formed of Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes – targeted the parts of Apple’s infrastructure that were available via the company’s bug bounty program.

During their research they discovered 11 bugs marked critical, 29 high severity, 13 medium, and two low severity.

The more dangerous bugs included remote code execution (RCE) via authorization and authentication bypass and a stored cross-site scripting (XSS) vulnerability that allowed compromise of a customer’s iCloud account.

Researchers were also able to steal source code from Apple’s internal projects, and fully compromise an industrial control warehouse software used by Apple, a blog post details.

So far, “the vast majority” of bugs have been fixed and credited. Apple has paid out $288,500 for a total of 32 vulnerabilities.

Complete control

The RCE via authentication and authorization bypass allowed an attacker to fully compromise Apple’s ‘Distinguished Educators’ (ADE) program.

The ADE program assigned a default password to users, which could be used in a brute-force attack to log into several accounts ¬– including one that contained core admin privileges on the network.

This allowed the team to gain access to the interface, enabling them to execute arbitrary commands on the ADE webserver and access the majority of Apple’s network.

YOU MAY LIKE ‘Sign in with Apple’ vulnerability find earns $100k bug bounty

The wormable stored XSS vulnerabilities allowed an attacker to steal iCloud data from a user.

The team discovered the vulnerability through iCloud’s mail application. There was a stored XSS in the <style> tag, which allowed an attacker to access to their victim’s iCloud data.

Curry explained in the blog post: “Since the mail application is hosted on ‘www.icloud.com’ this meant that we had browser permissions to retrieve the HTTP responses for the corresponding APIs for the iCloud service (if we could sneak in the JavaScript to reach out to them).”

A proof of concept video shows how the attacker could silently steal the victim’s photos, videos, and documents, then forward the modified email to the victim’s contact list and worm the cross-site scripting payload against the iCloud mail service, Curry wrote.

An extensive list of vulnerabilities can be found in the write up. The team was not able to disclose details of all of their findings, some of which need to be kept confidential to comply with Apple’s bug bounty rules.

Team effort

Curry told The Daily Swig: “It was nice working with a team because it made it a lot more engaging. Even if we weren’t going to get paid for a while we could still confer the issues with each other and get excited about them.

“I would prefer to do something again as a team, but it’s gotten tough to find time when everyone is free.”

The researcher described working with Apple during the disclosure process as “fantastic”, adding that they are still waiting to discover the full payout figure they have collectively earned.

Curry said: “The disclosure process with Apple was fantastic. All they asked was that the vulnerability was fixed before we disclosed it. They offered to review our blog post, but said it wasn't mandatory if we didn't want to share it with them beforehand.

“It may take a while to be fully paid out for everything, but based on the bounty total I think we'll have an accurate reflection of what we should be paid for the impact.”

The Daily Swig has reached out to Apple for comment and will update this article accordingly.

READ MORE Apple security: Sophisticated Mac malware targets developers