Pierluigi Paganini October 12, 2020

Researchers received hundreds of thousands of dollars in bug bounties for reporting 55 vulnerabilities as part of the Apple bug bounty program.

A team of researchers composed of Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes reported a total of 55 flaws to Apple as part of the company bug bounty program.

The flaws were all covered by Apple’s bug bounty program, 11 vulnerabilities have been rated critical and 29 rated high severity.

Some of the flaws were addressed by Apple a few hours after they have been reported by the researchers.

The researchers already received for these issues 32 payrolls for a total of $288,500, but likely will receive more for the other flaws reported.

The experts published technical details for some of the vulnerabilities they found.

“During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.” reported the experts.

The experts discovered how to fully compromise the Apple Distinguished Educators Program via Authentication and bypass authorization and hot to fully compromise the DELMIA Apriso Application via authentication bypass.

The experts also detailed wormable Stored Cross-Site Scripting vulnerabilities that could allow attackers to steal iCloud data through a modified email and a command injection issue in Author’s ePublisher.

The experts also reported a full response SSRF on iCloud that could allow attackers to retrieve Apple Source Code.

The experts pointed out that many of the flaws could have been exploited by threat actors to gain access to Apple’s internal network and execute arbitrary commands on the company’s web servers.

“Overall, Apple was very responsive to our reports. The turn around for our more critical reports was only four hours between time of submission and time of remediation,” concludes Curry.

“Since no-one really knew much about their bug bounty program, we were pretty much going into unchartered territory with such a large time investment. Apple has had an interesting history working with security researchers, but it appears that their vulnerability disclosure program is a massive step in the right direction to working with hackers in securing assets and allowing those interested to find and report vulnerabilities,”

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

[adrotate banner=”5″]

[adrotate banner=”13″]