Apple Pays Out Big for Planned Attack

Apple is expected to pay out about half a million dollars to a group of security researchers who exposed numerous critical vulnerabilities in the company’s infrastructure. Researchers discovered numerous alarming holes that placed millions of Apple’s customers (i.e. you and I) at risk of having sensitive data stolen. 

A total of 55 vulnerabilities were discovered by Sam Curry and his team of cybersecurity experts (no relation to Steph Curry and his team of basketball experts). Eleven of those vulnerabilities were deemed “critical” as they permitted his team to invade Apple’s infrastructure to steal private information such as emails and iCloud data. 

“At Apple, we vigilantly protect our networks and have dedicated teams of information security professionals that work to detect and respond to threats,” the company wrote in a statement. “As soon as the researchers alerted us to the issues they detail in their report, we immediately fixed the vulnerabilities and took steps to prevent future issues of this kind. Based on our logs, the researchers were the first to discover the vulnerabilities so we feel confident no user data was misused. We value our collaboration with security researchers to help keep our users safe and have credited the team for their assistance and will reward them from the Apple Security Bounty program.”

Fortunately for the company (and its unwavering fanbase), this was part of a planned attack under the Apple Security Bounty Program. That’s to say, Apple essentially invited this group of ethical hackers to try and seek out vulnerabilities in its infrastructure, agreeing to pay them a sum of money depending on the nature and severity of the holes they could spotlight. 

Also fortunately for us, Apple addressed the critical vulnerabilities soon after they were reported by Curry’s team. Apple has processed about half of the vulnerabilities and has so far shelled out $288,500. Curry expects that number to reach the half-a-million mark once all is said and done. 

That’s a relatively large amount of money, but large amounts of money have become pretty par for the course as massive organizations seek out ways to shore up their defenses against legitimate hackers looking to do harm. 

Verizon Media spent $5 million in 2018 on its own bug bounty program. 

Microsoft dropped a company record-setting $2 million that same year. Microsoft is also responsible for the largest single-person payout of $200,000 in 2012. 

Google spent $3.4 million in rewards in 2018, bringing the company’s total to $15 million since the bounty program’s inception in 2010. 

Facebook has paid out $7.5 million since creating a program of its own in 2011. 

The DoD spent just $150,000 after hackers identified 138 vulnerabilities in 2016, saving the government about $850,000 in expenses associated with more traditional measures. 

RECENT POSTS

United Airlines doesn’t hand out money (shocker), but is willing to provide successful white hat hackers with free air miles. That includes the 1 million miles given to a 19-year-old security researcher from the Netherlands. For those wondering, that’s equal to about 137 round-trip flights from Amsterdam to New York City, or roughly 40 trips around the globe. No word on whether those miles include checked bags, but who are we kidding?

Apple first launched its program in 2016, initially created as an invite-only opportunity. That changed in late 2019, when the company announced plans to open the doors for all security researchers. That included a chance for ethical hackers to look into iCloud, iPadOS, macOS, tvOS, and watchOS. 

Unauthorized iCloud account access would net hackers anywhere from $25,000–$100,000. Bypassing lock screens had a similar range. Proof of extraction of user data ranges from $100,000–$250,000. The highest prize goes to those who can accomplish “zero-click remote chain with full kernel execution and persistence,” netting them a cool $1 million. 

As for Curry and his team, they were able to exploit a cross-site scripting vulnerability on Apple’s iCloud website. That, in simpler terms, essentially allowed his group to exploit users with iCloud or Mac email addresses by simply having them open an email. The hackers would then be able to target anything accessible to the user while using iCloud in the browser (including photos, videos, and contacts, among others). 

Of Curry’s team’s 55 reported vulnerabilities, 11 were deemed critical, 29 high, 13 medium, and two low. For those curious, here’s a list of the critical (and totally not reader-friendly) vulnerabilities exposed by the hacker group: 

  • Remote Code Execution via Authorization and Authentication Bypass

  • Authentication Bypass via Misconfigured Permissions allows Global Administrator Access

  • Command Injection via Unsanitized Filename Argument

  • Remote Code Execution via Leaked Secret and Exposed Administrator Tool

  • Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications

  • Vertica SQL Injection via Unsanitized Input Parameter

  • Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account

  • Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account

  • Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources

  • Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking

  • Server-Side PhantomJS Execution allows attacker to Access Internal Resources and Retrieve AWS IAM Keys