Thursday, October 8, 2020

We Hacked Apple for 3 Months

Sam Curry (via Steve Troughton-Smith, Hacker News):

Between the period of July 6th to October 6th myself, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes worked together and hacked on the Apple bug bounty program.


During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.

There were a total of 55 vulnerabilities discovered with 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity reports.

Most have already been fixed.

One example:

During testing the iCloud application we noticed that you could open up certain attachments from the iCloud mail application in the iCloud pages application via the “Open in Pages” functionality. When you submitted the form to do this, it sent an HTTP request containing a URL parameter which included the URL of the mail file attachment in the request.[…] If you attempted to modify this URL to something arbitrary[…] Our proof of concept for this report was demonstrating we could read and access Apple’s internal maven repository which contained the source code for what appeared to be hundreds of different applications, iOS, and macOS.

Brandon Azad:

It’s with both bittersweet sadness and excitement that I say goodbye to Project Zero, as I’ll be joining Apple next week to continue my work improving Apple device security.


Update (2020-10-09): Sam Curry:

Within the article I’d mentioned that Apple had not yet paid for all of the vulnerabilities. Right after publishing it, they went ahead and paid for 28 more of the issues making the running total $288,500.

7 Comments RSS · Twitter

Apple sure looks cheap when they pay researchers an order (or two?) of magnitude less than they'd pay their own employees to discover such a massive amount of vulnerabilities. Not to mention how many $$$ millions the spy agencies of China, Russia, etc would pay for this.

@Ben My read was that the researchers are going to eventually receive a lot more for these bugs. Only a few of them have finished going through the bug bounty process.

Ben G: As tptacek on HN explains, based on his own experience, that's not fair. Apple definitely has their own infrastructure security teams, including a red team. (Pentesting is so idiosyncratic that different teams will always find different issues.) Hiring dedicated pentest teams "past a month and you start getting into steep discounts". And bug bounty programs *always* pay less than employee rate, across all tech companies. That's in no way unique to Apple.

Besides, as Michael points out, they haven't received the full payout yet, and it's only for part-time work. I don't know what Apple pays their employees, but I doubt it's "an order (or two?) of magnitude" more than $50,000 for a couple months of part-time work.

Sorry for posting a bit quickly, but the article also mentions: "He said he expects the total payout could exceed $500,000 once Apple digests all the reports".

And quoting Curry: "I’ve never been paid this much at once. Everyone in our group is still a bit freaking out.”

So $288k for sure, maybe more. That seems more in line with the amount of work put in.

Thanks for the updates. ~$500k seems much more reasonable.

Leave a Comment