Home / Technology / Apple pays $ 288,000 to the white-hat hackers who managed the corporate network

Apple pays $ 288,000 to the white-hat hackers who managed the corporate network

Within a black and white Apple logo, a computer screen depicts someone typing.

Nick Wright. Used with permission.

For months, Apple’s corporate network has been at risk of cyberattacks that could have stolen sensitive data from potential millions of customers and run malicious code on their phones and computers, a security researcher said Thursday.

Sam Curry, a 20-year-old researcher specializing in website security, said that, in total, he and his team found 55 vulnerabilities. He rated 1

1 of them as critical because they allowed him to take control of Apple’s core infrastructure and steal private emails, iCloud data, and other private information from there.

The 11 critical bugs were:

  • Remote code execution via authorization and authentication bypass
  • Bypassing authentication using incorrectly configured permissions allows global administrator access
  • Command injection via uncleaned filename argument
  • Remote code execution via leaked secret and administration tool exposed
  • The memory leak leads to the compromise of the user and employee account which allows access to various internal applications
  • Vertica SQL Injection via uncleaned input parameter
  • The controllable stored XSS allows the attacker to completely compromise the victim’s iCloud account
  • The controllable stored XSS allows the attacker to completely compromise the victim’s iCloud account
  • Full Response SSRF allows the attacker to read the internal source code and access protected resources
  • Blind XSS allows the attacker to access the internal support portal for monitoring customer and employee issues
  • Server-side PhantomJS execution allows the attacker to access internal resources and retrieve AWS IAM keys

Apple promptly resolved the vulnerabilities after Curry reported them within three months, often within hours of his initial warning. The company has so far processed about half of the vulnerabilities and has pledged to pay $ 288,500 for them. Once Apple processes the rest, Curry said, the total payment could exceed $ 500,000.

“Had the problems been used by an attacker, Apple would have faced massive information disclosure and loss of integrity,” Curry said in an online chat hours after publishing a 9,200-word article titled We hacked Apple for 3 months – here’s what we found. “For example, attackers would have access to internal tools used for managing user information and would also be able to modify systems around to function as hackers intended.”

Curry said the hacking project was a joint venture that also included fellow researchers:

Two of the worst

Among the most serious risks were those represented by an archived cross-site scripting vulnerability (typically abbreviated to XSS) in the JavaScript parser used by the servers at www.iCloud.com. Since iCloud provides services to Apple Mail, the flaw could be exploited by sending someone with an iCloud.com or Mac.com address an email that included malicious characters.

The target just needs to open the email to be hacked. Once this happened, a hidden script within the malicious email allowed the hacker to perform all actions the target could perform when they accessed iCloud in the browser. Below is a video showing a proof-of-concept exploit that sent all the photos and contacts of the target to the attacker.

Theoretical verification

Curry said the archived XSS vulnerability is wormable, meaning it could spread from user to user when they did nothing but open the malicious email. Such a worm would have worked by including a script that sent a similar email to every iCloud.com or Mac.com address in the victims’ contact list.

A separate vulnerability, in a site reserved for Apple Distinguished Educators, was the result of assigning a default password – “### INvALID #%! 3” (without quotes) – when someone sent a question that included a username, name and surname, e-mail address and employer.

“If someone had applied using this system and there were features where you can authenticate yourself manually, you can simply log into your account using the default password and bypass the ‘Sign in with Apple’ login entirely,” Curry wrote.

Eventually, the hackers were able to use bruteforcing to guess a user with the name “erb” and, with that, to manually log into the user’s account. The hackers then logged into several other user accounts, one of which had “master administrator” privileges on the network. The image below shows the Jive console, used to run online forums, which they have seen.

With interface control, hackers could have run arbitrary commands on the web server by controlling the ade.apple.com subdomain and accessing the internal LDAP service which stores user account credentials. With that, they could have accessed much of Apple’s remaining internal network.

Going out of your mind

In all, Curry’s team found and reported 55 vulnerabilities with severities of 11 critical, 29 high, 13 medium, and two low. The list and the dates they were found are listed in Curry’s blog post, which is linked above.

As is clear from the list above, the hacks described here are just two of a long list that Curry and his team have been able to pull off. They ran them under Apple’s bug bounty program. Curry’s post claims Apple paid a total of $ 51,500 in exchange for private reports related to four vulnerabilities.

As I was reporting and writing this post, Curry said he received an email from Apple informing him that the company was paying an additional $ 237,000 for another 28 vulnerabilities.

“My response to the email was, ‘Wow! I’m in a weird state of shock right now,'” Curry told me. “I’ve never been paid that much at once. Everyone in our group is still a little bit crazy.”

He said he expects the total payout to exceed $ 500,000 once Apple has digested all reports.

An Apple representative released a statement that read:

At Apple, we carefully protect our networks and have dedicated teams of information security professionals working to detect and respond to threats. As soon as the researchers alerted us to the problems described in their report, we immediately fixed the vulnerabilities and took steps to prevent future problems of this type. Based on our logs, the researchers were the first to discover the vulnerabilities, so we are confident that no user data has been misused. We appreciate our collaboration with security researchers to help keep our users safe and have accredited the team for their assistance and will reward them from the Apple Security Bounty program.

Source link