A team of five researchers spent three months and hundreds of man-hours looking for vulnerabilities on Apple's sites. This command included: Sam Curry (Sam Curry), Brett Buerhaus (Brett Buerhaus), Ben Sadegipur (Ben Sadeghipour), Samuel Erb (Samuel Erb) as well as Tanner Barnes (Tanner Barnes).
About what happened on your blog pages team chief, 20-year-old Sam Curry, said this week. He says that initially, the search for bugs should be a small side project that the researchers wanted to work on if they had free time. Soon, the coronavirus pandemic made adjustments to these plans, the group had a lot of free time, and as a result, hundreds of man-hours were spent on research. Curry admits that at first the team did not even think about the fact that in the end it all would take three whole months.
As a result, the researchers were able to find 55 different vulnerabilities in Apple's online services, including 11 critical ones. For example, one of the most serious mistakes allowed an attacker to create a worm that automatically steals all photos, videos, and documents from someone else's iCloud account, and then does the same with all of the victim's contacts. A PoC demo of this attack can be seen below.
Moreover, the researchers write that they could also have access to Apple's source code repository, the "holy grail," where the company stores the source code for "hundreds of different applications for iOS and macOS."
Here are 11 critical bugs found by researchers:
- remote execution of arbitrary code by bypassing authorization and authentication;
- Bypassing authentication with incorrectly configured permissions provides an attacker with global administrator access;
- command injection via an incorrectly cleared filename argument;
- remote execution of arbitrary code through a secret leak and a left open tool for administrators;
- a memory leak leading to the compromise of employee and user accounts, as well as providing access to various internal applications;
- Vertica SQL injection by incorrectly cleaning input;
- a stored XSS with the potential of a worm to completely compromise the victim's iCloud account;
- SSRF, which allows you to access internal sources and protected resources;
- Blind XSS allowing access to an internal support portal to track customer and employee issues;
- Server-side PhantomJS execution allowing access to internal AWS IAM resources and keys.
Although given average cost vulnerabilities in Apple products, one would think that the researchers hit a big jackpot, in fact, everything turned out differently. Curry wrote that the company quickly fixed all the bugs found, but paid the specialists only $ 55,100. That is, approximately $ 250 per vulnerability per person, or $ 17,171 per month for each researcher.
Edition Vice motherboard quotes Phobos CEO Dan Tentler, who is convinced that "it's incredibly small":
“Fifty thousand is the money I would expect to see for a two to four week safety assessment, but the problems these amazingly talented people find are worth orders of magnitude more.
Imagine if they were discovered by some government hackers. Imagine how massive the damage could be. Apple makes it clear that it costs them only $ 50,000. For me, this is crazy, it goes against all those high-profile and public marketing campaigns in which (Apple) says it takes privacy and security seriously. "
This view, however, is not shared by cybersecurity veteran Katie Moussouris. The founder of Luta Security is best known for coordinating bug bounty programs for Microsoft, Symantec and the Pentagon. According to her, the amount of payments could well be fair.
“The skills needed to find web vulnerabilities are more common than the skills needed to jailbreak mobile devices or iOS,” says Moussouris. “Following this logic, Apple reserves higher payouts for hacking its main OS, rather than hacking its sites. That being said, there is no doubt that they are willing to pay for iCloud data compromise and other problems.
The real question is: could Apple pay the same amount to professional pentesters by providing them with all the documentation they need, instead of wasting their time studying the black box, end up getting the same thing, but in much less time? and the same amount. "
Meanwhile, former Apple employees joked on Twitter that bug bounty is just a way to attract cheap labor.
$ 51,500 / 5/3 pre tax = very cheap labor
– fG! (@osxreverser) October 8, 2020
I must say that from the beginning Curry emphasized on the blog that, most likely, his team will receive more payments in the coming months. He wrote that fixing 55 bugs and processing all these reports is definitely more difficult than fixing 1-2 vulnerabilities. The researcher complained only that he was upset because of the lack of information about this process, but overall he was pleased with the bug bounty.
Shortly after this story hit the pages of Western media, Apple representatives reacted to the incident and commented on the situation. Thus, the company once again thanked the researchers for their work, and payments to Curry and his colleagues quickly increased to 288,500, and so far Apple has paid only 32 errors out of 55 found.
Photo: Sam Curry