After finding out about Apple’s Bug Bounty Program, a group of security researchers — Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes — worked together and hacked Apple from July 6, 2020 to October 6, 2020. Here’s what they found.
During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.
There were a total of 55 vulnerabilities discovered with 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity reports. These severities were assessed by us for summarization purposes and are dependent on a mix of CVSS and our understanding of the business related impact.
As of October 6th, 2020, the vast majority of these findings have been fixed and credited. They were typically remediated within 1-2 business days (with some being fixed in as little as 4-6 hours).
As of now, October 4th, we have received four payments totaling $51,500… However, it appears that Apple does payments in batches and will likely pay for more of the issues in the following months.
MacDailyNews Take: Thanks to white hat hackers like these guys, Apple’s products, systems, and services get ever more secure!
There’s tons more, including several vulnerability write-ups, in the full article.
[Attribution: AppleInsider. Thanks to MacDailyNews Readers “Fred Mertz” and “Brawndo Drinker” for the heads up.]
A. Apple should hire these guys immediately, having them do nothing but work on hacking Apple constantly in order to find vulnerabilities.
B. Apple should quickly develop a team that works with these guys, to better learn how to build new software that is more bulletproof from the start.
C. $51k? They should have paid these guys $20m!!!
5 guys, 3 months, $51k? I hope they get paid more for their trouble.
SCARY STUFF! Apple you need to hire this crew.
Agreed wholeheartedly – it is disgraceful that Apple was so slack!
I left Miro$oft back in 2004 and bought my first 17″ MacBook Pro back in 2004. I can’t believe that the T2 Security Chip has been comprimized and Apple can’t fix it. What are we supposed to do about this dang screw up and etc. A new Motherboard with an T2 Chip that does its job. I don’t know what to do. I’m using Intego Software with built in Anti-Virus and Firewall and a Cookie Cleaner. What do you think about this Apple?
Really, really disappointing how poor Apple engineering has become. The T2 is a disaster — and did they ever fix the Thunderbolt 3 fiasco? How about sending my IP address and the app I just launched in clear text across the internet? Up your game, Apple.