{"id":30387,"date":"2020-10-08T16:16:12","date_gmt":"2020-10-08T20:16:12","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=30387"},"modified":"2021-07-13T11:52:47","modified_gmt":"2021-07-13T15:52:47","slug":"we-hacked-apple-for-3-months","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2020\/10\/08\/we-hacked-apple-for-3-months\/","title":{"rendered":"We Hacked Apple for 3 Months"},"content":{"rendered":"

Sam Curry<\/a> (via Steve Troughton-Smith<\/a>, Hacker News<\/a>):<\/p>\n

Between the period of July 6th to October 6th myself, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes worked together and hacked on the Apple bug bounty program.<\/p>\n

[…]<\/p>\n

During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.<\/p>\n

There were a total of 55 vulnerabilities discovered with 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity reports.<\/p><\/blockquote>\n

Most have already been fixed.<\/p>\n\n

One example<\/a>:<\/p>\n

During testing the iCloud application we noticed that you could open up certain attachments from the iCloud mail application in the iCloud pages application via the “Open in Pages” functionality. When you submitted the form to do this, it sent an HTTP request containing a URL parameter which included the URL of the mail file attachment in the request.[…] If you attempted to modify this URL to something arbitrary[…] Our proof of concept for this report was demonstrating we could read and access Apple’s internal maven repository which contained the source code for what appeared to be hundreds of different applications, iOS, and macOS.\n\n<\/p><\/blockquote>\n\n

Brandon Azad<\/a>:<\/p>\n

\n

It’s with both bittersweet sadness and excitement that I say goodbye to Project Zero, as I’ll be joining Apple next week to continue my work improving Apple device security.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n