Security experts hacked Apple for 3 months- Here what they found

In the wake of getting some answers concerning Apple’s Bug Bounty Program, a gathering of security scientists — Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes — cooperated and hacked Apple from July 6, 2020, to October 6, 2020.

During their commitment, they found several vulnerabilities in key parts of their infrastructure that would enable an intruder to compromise an application, unleash a worm capable of automatically taking over the iCloud account of a target, retrieve source code for internal Apple projects, completely hack the applications used by Apple in an industrial control warehouse and take over Apple personnel sessions with the right to access administrative tools and confidential resources.

There was an aggregate of 55 vulnerabilities found with 11 critical severity, 29 high severity, 13 medium severity, and 2 records of low severity. These severities were evaluated by them for outline purposes and are reliant on a blend of CVSS and comprehension of the business-related effect. 

The initial step for them hacking Apple was sorting out what to really target. So, they started sorting out what all Apple-possessed that was open to them. The entirety of the outcomes from their checking was listed in a dashboard that incorporated the HTTP status code, headers, response body, and screen capture of the open web servers under the different areas claimed by Apple.

Some of the immediate findings from the automated scanning 

The information obtained by these processes were useful in understanding how authorization/authentication worked across Apple, what customer/employee applications existed, what integration/development tools were used, and different noticeable practices like web servers consuming certain cookies or redirecting to certain applications.

They started attacking individual web servers who instinctively felt more likely to be exposed than others after all the scans were done and they felt they had a general knowledge of the Apple infrastructure.

This started a series of discoveries that persisted during our interaction and eventually expanded our comprehension of the software of Apple. They uncovered a great deal of vulnerability after that.

Vulnerabilities discovered by them

DateVulnerabilities TitleSeverity
9/17/2020Authentication Bypass via Misconfigured Permissions allows Global Administrator AccessCritical
08-12-2020Blind XSS allows Attacker to Access Apple Books Management Application and Modify Protected ResourcesHigh
09-04-2020Blind XSS allows Attacker to Access Apple Books Management Application and Modify Protected ResourcesHigh
8/20/2020Blind XSS allows Attacker to Access Apple Maps Management Application and Modify Protected ResourcesHigh
09-01-2020Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue TrackingCritical
7/15/2020Blind XSS from Low Level User to High Level User allows Attacker to Compromise ApplicationMedium
08-11-2020Command Injection via Unsanitized Filename ArgumentCritical
08-07-2020Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected ResourcesCritical
08-10-2020IDOR allows Attacker to Read Full User Application Details for Apple Partner ApplicationHigh
07-05-2020IDOR on Apple App Store allows Attacker to Modify Various Components of Apple Store ApplicationsHigh
8/21/2020IDOR on Apple Application allows Attacker to Enumerate User InformationHigh
09-01-2020IDOR on Apple Application allows Attacker to Enumerate User InformationHigh
7/15/2020IDOR on Apple Application allows Attacker to Enumerate User InformationHigh
8/14/2020IDOR on Apple Application allows Attacker to Enumerate User InformationHigh
09-02-2020IDOR on Apple Application allows Attacker to Read Protected Information about UsersHigh
08-01-2020IDOR on Apple Application allows Attacker to Read Protected Information about UsersHigh
7/31/2020IDOR on Apple Application allows Attacker to Read Protected Information about UsersHigh
8/14/2020IDOR on iCloud Allows Attacker to Retrieve Victim Name and Email address via Incremental Numeric IdentifierHigh
08-06-2020Improper Access Control on Apple Application allows Attacker to Disclose and Modify Internal Application ResourcesHigh
8/20/2020Information Disclosure on Third Party WebsiteLow
8/21/2020Information Disclosure via IDORMedium
7/16/2020Information Disclosure via Stack TraceMedium
09-02-2020Lack of Access Control on Apple Application allows Attacker to Retrieve Name, Address, Phone Number, and Contact Information of All UsersHigh
08-04-2020Lack of Rate Limiting on Apple Application allows attacker to Validate and Access Protected ResourcesHigh
08-01-2020Login Form with No Rate LimitingLow
7/18/2020Memory Leak leads to Employee and User Account Compromise allowing access to various internal applicationsCritical
09-01-2020Path Traversal allows Attacker to Enumerate System File InformationMedium
09-04-2020Reflected XSS allows Attacker to Fully Compromise Tenant ResourcesMedium
07-10-2020Reflected XSS allows Attacker to Fully Compromise Tenant ResourcesMedium
07-07-2020Reflected XSS on Third Party Application allows Attacker to Compromise ApplicationMedium
8/14/2020Reflected XSS via Unsanitized ParameterMedium
8/16/2020Reflected XSS via Unsanitized ParameterMedium
8/27/2020Reflected XSS via Unsanitized ParameterMedium
09-09-2020Reflected XSS via Unsanitized ParameterMedium
8/19/2020Reflected XSS within Various Apple Authentication SystemsHigh
7/26/2020Remote Code Execution via Authorization and Authentication BypassCritical
8/21/2020Remote Code Execution via Leaked Secret and Exposed Administrator ToolCritical
8/21/2020Server Side PhantomJS Execution allows attacker to Access Internal Resources and Retrieve AWS IAM KeysCritical
7/22/2020SSRF on Apple Application allows Attacker to send Internal Gopher RequestsHigh
08-05-2020SSRF within Apple Application allows attacker to Access Protected ResourcesHigh
08-05-2020SSRF within Apple Application allows attacker to Access Protected ResourcesHigh
8/24/2020SSRF within Apple Application allows attacker to Access Protected ResourcesHigh
08-11-2020SSRF within Apple Application allows attacker to Access Protected ResourcesHigh
7/17/2020SSRF within Apple Application allows attacker to Access Protected ResourcesHigh
8/24/2020Stored XSS on Apple ApplicationMedium
7/16/2020Stored XSS on Apple Application allows Attacker to Escalate Privileges and Compromise Tenant ApplicationsHigh
8/20/2020Stored XSS via Unrestricted File UploadHigh
08-10-2020Stored XSS via Unrestricted File UploadMedium
8/19/2020Various 2FA Bypasses allow Attacker to Access Account Details without Solving MFA ChallengeHigh
7/26/2020Various VPNs Affected by Local File Disclosure VulnerabilityHigh
08-06-2020Vertica SQL Injection via Unsanitized Input ParameterCritical
08-05-2020Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud AccountCritical
8/14/2020Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud AccountCritical
08-01-2020XXE via Enabled External Entity ProcessingHigh

Certainly, a fast reaction by Apple, yet observing the seriousness of the vulnerabilities found, that appears to be not amazing – the hackers even figured out how to gain admittance to the source code for iOS, macOS, and other Apple ventures.

As of October 6th, 2020, most of these discoveries have been fixed and credited. They were normally remediated inside 1-2 business days and some being fixed in 4-6 hours. They have earned four payments totaling $51,500 as of now. It seems, though, that Apple makes batch payments and will presumably pay for more of the problems in the coming months.

Leave a Reply

Your email address will not be published. Required fields are marked *