A team of five ethical hackers have discovered a grand total of 55 vulnerabilities in a range of Apple’s services, with almost a dozen flaws rated as critical. The disclosed security loopholes – which were found over a span of three months and were promptly fixed – have earned the white-hat hackers a total of US$288,500 in rewards under Apple’s bug bounty program. And even that may not be the final tally, since those are cash rewards for “only” 32 vulnerabilities, with payouts for the rest likely to follow soon.
“During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources,” said the five white hats.
RELATED READING: Is bug hunting a viable career choice?
No fewer than 11 vulnerabilities are considered critical, with 29 deemed high, 13 classified as medium, and the remaining two ranked as low. To evaluate the severity of the flaws, the team used a combination of the Common Vulnerability Scoring System (CVSS) and their knowledge of how much business-related impact the bugs would have.
There are two vulnerabilities that particularly stand out among the flaws: a remote code execution (RCE) flaw that could allow for a full compromise of the Apple Distinguished Educators program and a wormable stored cross-site scripting (XSS) vulnerability that could let a threat actor steal iCloud Data.
In the case of the former, a threat actor who successfully circumvents authentication and gets access to the administration console could completely compromise the application. “Overall, this would’ve allowed an attacker to execute arbitrary commands on the ade.apple.com web server, access the internal Lightweight Directory Access Protocol (LDAP) service for managing user accounts and access the majority of Apple's internal network,” according to the white hats.
RELATED READING: Apple issues security patches for … just about everything
Meanwhile, the researchers were also able to put together a proof-of-concept where they went on to demonstrate how a hacker could potentially exploit the wormable XSS loophole. The attack involves modifying a Cascading Style Sheets tag, which would then be sent by email to an iCloud email address. An attacker could covertly pilfer all data that the victim has stored on their iCloud, including photos, videos, and documents, as well as spread the malicious email to everyone on the victim’s contact list.
The team praised the Cupertino tech giant for its quick response time: “Overall, Apple was very responsive to our reports. The turnaround for our more critical reports was only four hours between time of submission and time of remediation.” Most of the other flaws were fixed within 1-2 business days.