A group of hackers has been awarded more than $50,000 for discovering 55 vulnerabilities in Apple’s system. Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes spent three months hacking Apple’s platforms and services and discovering a range of weaknesses. The 55 vulnerabilities identified by the team vary in severity, some of which are so severe that they describe them as:
In the course of our engagement, various vulnerabilities were discovered in the core part of Apple’s infrastructure that would allow an attacker to completely hack into customer and employee applications, even launch a worm that automatically takes over the victim’s iCloud account, retrieve the source code for Apple’s internal projects, completely hack into the industrial-controlled warehouse software used by Apple, and take over conversations with Apple employees, and gain access to management tools and sensitive resources.
Apple quickly addressed most of the vulnerabilities after receiving the report, some of which were resolved in just a few hours.
Overall, Apple responded very quickly to our report. For our more important reports, the time from submission to repair is only four hours.
Some of the team’s work could be well paid as part of Apple’s security bounty program. As of Sunday, October 4, they had received four payments totalling $51,500. These include $5,000 to disclose the full name of iCloud users, $6,000 to discover IDOR vulnerabilities, $6,500 to enter the enterprise’s internal environment, and $34,000 to discover system memory leaks that contain customer data.
Since no one really understood their bug bounty program, we were almost entering uncharted territory and investing so much time. Apple’s history of working with security researchers is interesting, but their vulnerability disclosure program appears to be a big step in the right direction to work with hackers to secure assets and get interested people to discover and report vulnerabilities.
Apple has been actively investing in its bug bounty program since last year. Security researchers can now earn up to $1 million per vulnerability, depending on the nature and severity of the vulnerability.
With permission from Apple’s security team, the team released a wide-ranging report detailing a range of vulnerabilities and ways to locate and exploit them. They also hinted that more rewards might be on the way.