Security experts hacked Apple for 3 months- Here what they found
In the wake of getting some answers concerning Apple’s Bug Bounty Program, a gathering of security scientists — Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes — cooperated and hacked Apple from July 6, 2020, to October 6, 2020.
During their commitment, they found several vulnerabilities in key parts of their infrastructure that would enable an intruder to compromise an application, unleash a worm capable of automatically taking over the iCloud account of a target, retrieve source code for internal Apple projects, completely hack the applications used by Apple in an industrial control warehouse and take over Apple personnel sessions with the right to access administrative tools and confidential resources.
There was an aggregate of 55 vulnerabilities found with 11 critical severity, 29 high severity, 13 medium severity, and 2 records of low severity. These severities were evaluated by them for outline purposes and are reliant on a blend of CVSS and comprehension of the business-related effect.
The initial step for them hacking Apple was sorting out what to really target. So, they started sorting out what all Apple-possessed that was open to them. The entirety of the outcomes from their checking was listed in a dashboard that incorporated the HTTP status code, headers, response body, and screen capture of the open web servers under the different areas claimed by Apple.
Some of the immediate findings from the automated scanning
The information obtained by these processes were useful in understanding how authorization/authentication worked across Apple, what customer/employee applications existed, what integration/development tools were used, and different noticeable practices like web servers consuming certain cookies or redirecting to certain applications.
They started attacking individual web servers who instinctively felt more likely to be exposed than others after all the scans were done and they felt they had a general knowledge of the Apple infrastructure.
This started a series of discoveries that persisted during our interaction and eventually expanded our comprehension of the software of Apple. They uncovered a great deal of vulnerability after that.
Vulnerabilities discovered by them
| Date | Vulnerabilities Title | Severity |
| 9/17/2020 | Authentication Bypass via Misconfigured Permissions allows Global Administrator Access | Critical |
| 08-12-2020 | Blind XSS allows Attacker to Access Apple Books Management Application and Modify Protected Resources | High |
| 09-04-2020 | Blind XSS allows Attacker to Access Apple Books Management Application and Modify Protected Resources | High |
| 8/20/2020 | Blind XSS allows Attacker to Access Apple Maps Management Application and Modify Protected Resources | High |
| 09-01-2020 | Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking | Critical |
| 7/15/2020 | Blind XSS from Low Level User to High Level User allows Attacker to Compromise Application | Medium |
| 08-11-2020 | Command Injection via Unsanitized Filename Argument | Critical |
| 08-07-2020 | Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources | Critical |
| 08-10-2020 | IDOR allows Attacker to Read Full User Application Details for Apple Partner Application | High |
| 07-05-2020 | IDOR on Apple App Store allows Attacker to Modify Various Components of Apple Store Applications | High |
| 8/21/2020 | IDOR on Apple Application allows Attacker to Enumerate User Information | High |
| 09-01-2020 | IDOR on Apple Application allows Attacker to Enumerate User Information | High |
| 7/15/2020 | IDOR on Apple Application allows Attacker to Enumerate User Information | High |
| 8/14/2020 | IDOR on Apple Application allows Attacker to Enumerate User Information | High |
| 09-02-2020 | IDOR on Apple Application allows Attacker to Read Protected Information about Users | High |
| 08-01-2020 | IDOR on Apple Application allows Attacker to Read Protected Information about Users | High |
| 7/31/2020 | IDOR on Apple Application allows Attacker to Read Protected Information about Users | High |
| 8/14/2020 | IDOR on iCloud Allows Attacker to Retrieve Victim Name and Email address via Incremental Numeric Identifier | High |
| 08-06-2020 | Improper Access Control on Apple Application allows Attacker to Disclose and Modify Internal Application Resources | High |
| 8/20/2020 | Information Disclosure on Third Party Website | Low |
| 8/21/2020 | Information Disclosure via IDOR | Medium |
| 7/16/2020 | Information Disclosure via Stack Trace | Medium |
| 09-02-2020 | Lack of Access Control on Apple Application allows Attacker to Retrieve Name, Address, Phone Number, and Contact Information of All Users | High |
| 08-04-2020 | Lack of Rate Limiting on Apple Application allows attacker to Validate and Access Protected Resources | High |
| 08-01-2020 | Login Form with No Rate Limiting | Low |
| 7/18/2020 | Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications | Critical |
| 09-01-2020 | Path Traversal allows Attacker to Enumerate System File Information | Medium |
| 09-04-2020 | Reflected XSS allows Attacker to Fully Compromise Tenant Resources | Medium |
| 07-10-2020 | Reflected XSS allows Attacker to Fully Compromise Tenant Resources | Medium |
| 07-07-2020 | Reflected XSS on Third Party Application allows Attacker to Compromise Application | Medium |
| 8/14/2020 | Reflected XSS via Unsanitized Parameter | Medium |
| 8/16/2020 | Reflected XSS via Unsanitized Parameter | Medium |
| 8/27/2020 | Reflected XSS via Unsanitized Parameter | Medium |
| 09-09-2020 | Reflected XSS via Unsanitized Parameter | Medium |
| 8/19/2020 | Reflected XSS within Various Apple Authentication Systems | High |
| 7/26/2020 | Remote Code Execution via Authorization and Authentication Bypass | Critical |
| 8/21/2020 | Remote Code Execution via Leaked Secret and Exposed Administrator Tool | Critical |
| 8/21/2020 | Server Side PhantomJS Execution allows attacker to Access Internal Resources and Retrieve AWS IAM Keys | Critical |
| 7/22/2020 | SSRF on Apple Application allows Attacker to send Internal Gopher Requests | High |
| 08-05-2020 | SSRF within Apple Application allows attacker to Access Protected Resources | High |
| 08-05-2020 | SSRF within Apple Application allows attacker to Access Protected Resources | High |
| 8/24/2020 | SSRF within Apple Application allows attacker to Access Protected Resources | High |
| 08-11-2020 | SSRF within Apple Application allows attacker to Access Protected Resources | High |
| 7/17/2020 | SSRF within Apple Application allows attacker to Access Protected Resources | High |
| 8/24/2020 | Stored XSS on Apple Application | Medium |
| 7/16/2020 | Stored XSS on Apple Application allows Attacker to Escalate Privileges and Compromise Tenant Applications | High |
| 8/20/2020 | Stored XSS via Unrestricted File Upload | High |
| 08-10-2020 | Stored XSS via Unrestricted File Upload | Medium |
| 8/19/2020 | Various 2FA Bypasses allow Attacker to Access Account Details without Solving MFA Challenge | High |
| 7/26/2020 | Various VPNs Affected by Local File Disclosure Vulnerability | High |
| 08-06-2020 | Vertica SQL Injection via Unsanitized Input Parameter | Critical |
| 08-05-2020 | Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account | Critical |
| 8/14/2020 | Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account | Critical |
| 08-01-2020 | XXE via Enabled External Entity Processing | High |
Certainly, a fast reaction by Apple, yet observing the seriousness of the vulnerabilities found, that appears to be not amazing – the hackers even figured out how to gain admittance to the source code for iOS, macOS, and other Apple ventures.
As of October 6th, 2020, most of these discoveries have been fixed and credited. They were normally remediated inside 1-2 business days and some being fixed in 4-6 hours. They have earned four payments totaling $51,500 as of now. It seems, though, that Apple makes batch payments and will presumably pay for more of the problems in the coming months.
