Archive

Security Researchers Awarded over $250,000 for Reporting 55 Vulnerabilities in Apple’s Bug Bounty Program

A comprehensive three-month analysis of Apple’s online services has netted a team of security researchers a $288,500 reward after reporting critical vulnerabilities as part of its bug bounty program.

In total, the researchers disclosed 55 vulnerabilities, including 11 flagged critical, 29 high and 13 medium in severity.

If exploited, these vulnerabilities “would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account,” the researchers said.

Some flaws could even give bad actors the means to take over employees’ sessions, allowing access to management tools or sensitive resources.

As their report suggests, the iPhone manufacturer was highly responsive, fixing some critical bugs in just a couple of hours.

“Overall, Apple was very responsive to our reports. The turnaround for our more critical reports was only four hours between time of submission and time of remediation,” the researchers added.

The critical bugs flagged by security researchers include:

• Remote Code Execution via Authorization and Authentication Bypass
• Authentication Bypass via Misconfigured Permissions allows Global Administrator Access
• Command Injection via Unsanitized Filename Argument
• Remote Code Execution via Leaked Secret and Exposed Administrator Tool
• Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications
• Vertica SQL Injection via Unsanitized Input Parameter
• Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
• Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
• Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources
• Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking
• Server Side PhantomJS Execution allows an attacker to Access Internal Resources and Retrieve AWS IAM Keys

One of the critical bugs was found in the Apple Distinguished Educators website (“ade.apple.com”). The flaw could have letattackers access the administrator console and execute arbitrary code by byspassing authentication using a hidden default password.

A separate critical flaw could allow bad actors to steal iCloud data such as photos, calendar information and documents through a modified email address.

“There is a mail app on both iOS and Mac which is installed by default on the products,” the report reads.

“The mail service is hosted on ’www.icloud.com‘ alongside all of the other services like file and document storage. This meant, from an attacker’s perspective, that any cross-site scripting vulnerability would allow an attacker to retrieve whatever information they wanted to from the iCloud service. We began to look for any cross-site scripting issues at this point.”

About the author

Alina Bizga

Alina has been a part of the Bitdefender family for some years now, as her past role involved interfacing with end users and partners, advocating Bitdefender technologies and solutions. She is a history buff and passionate about cybersecurity and anything sci-fi. Her spare time is usually split between her two feline friends and traveling.