A team of five ethical hackers finds a total of 55 vulnerabilities in Apple Services with 11 critical ones. Revealed security vulnerabilities that have been reported over a period of three months. Moreover, the group of white-hat hackers has quickly won a total of US$ 288,500 in rewards under Apple’s bug bounty scheme. And even that might not be the final total, as these are cash incentives for just 32 flaws.
The first step in hacking Apple was to find out what to actually hit. Ben and Tanner started to find out what all Apple-owned and what was available for them to start on finding vulnerabilities.
Some of the vulnerabilities identified directly from automated scanning.
- Cisco CVE-2020-3452 Local File Read 1 day VPN servers affected
- Leaked Spotify the access token in the error message on a broken website
Uncovered Vulnerabilities in Detail
White hat group found a number of flaws in the key parts of Apple’s infrastructure. This would have helped the intruder to completely compromise both the employee’s and customers’ demands. They can also unleash a worm that can automatically take over a victim’s iCloud account and retrieve source code for internal Apple ventures. Moreover, corrupt the industrial automation warehouse program used by Apple. Take over the sessions of Apple staff with an ability to access management tools and sensitive resources
The team used a combination of the Common Vulnerability Scoring System (CVSS) to determine the seriousness of the defects. They also know how much business-related impact the bugs will have. There are two bugs that stand out among the flaws in particular. The remote code execution (RCE) vulnerability that could cause the Apple Distinguished Educators software to be completely compromised. And a wormable cross-site scripting (XSS) vulnerability that could allow a threat actor to steal iCloud Data.
In the case of the former, the application could be completely compromising by a threat actor that successfully circumvents authentication and has access to the administration console. This would have allowed the intruder to execute arbitrary commands on the ade.apple.com webserver. Access the Lightweight Directory Access Protocol (LDAP) internal service for managing user accounts. While much of Apple’s internal network is accessing, according to white hats.
- Bypass Authentication and Authorization
- Total compromise of DELMIA Apriso Application via Authentication Bypass
- Wormable Stored Cross-Site Scripting Vulnerabilities Enable an attacker to override iCloud Data through changed email
- Control Injection to the author’s ePublisher
- Nova Admin Debug Access Panel via REST Error Leak
- Full SSRF response on iCloud helps an intruder to retrieve Apple Source Code
- AWS Hidden Keys via iTune banners of PhantomJS and Book Title XSS
- The Apple eSign Heap Dump allows the attacker to compromise various external employee management software.
- XML External entity processing SSRF on the Java Control API
- Total Compromise of the Apple Distinguished Educators Program
Enables Automatic Stealing of Picture
The researchers were also able to put together a proof-of-concept to show how a hacker could theoretically exploit the wormable XSS gap. The assault involves modifying the Cascading Style Sheets tag that will be submitted to an iCloud email address. The intruder might secretly collect all the data the victim stored on their iCloud including photographs, videos, and documents, as well as the dissemination of malicious emails to those on the victim’s contact-list.
Apple responded quickly to the bug reports and fixed almost all of the reported bugs within a very little time frame. Overall, Apple has been very sensitive to reports, Curry said in a blog post. Curry also added that they received 32 payments totaling $288,500 issuing on October 8th for various flaws. The number may be higher as Apple prefers to pay in different batches, so the hackers expect further payments in the coming months. Apple’s public bug bounty program, which is available to all interested bug hunters. Last December, the organization opened a historically private initiative to the public. Those who argue that the company needs to be more transparent about hardware and software defects. It also contained a maximum payment of $1 million to sweeten the offer.
Group of Hackers have obtained permission from the Apple Security Team to publish descriptions of critical vulnerabilities, all of which have been patched and retested. The results are a disturbing reminder that even the biggest tech corporations greatly underestimate the security of their web application.