Home / Apple / Apple pays $ 288,000 to hackers who have owned the company’s network

Apple pays $ 288,000 to hackers who have owned the company’s network

Inside a black and white Apple logo silhouettes a computer screen someone typing.

Nick Wright. Used with permission.

For several months, Apple’s corporate network had a risk of hacking that could have stolen sensitive data from potentially millions of customers and executed malicious code on their phones and computers, a security researcher said Thursday.

Sam Curry, a 20-year-old researcher who specializes in cybersecurity, said he and his team found a total of 55 vulnerabilities. He considered 1

1 of them critical because they allowed him to take control of Apple’s core infrastructure and from there steal private emails, iCloud data and other private information.

The 11 critical errors were:

  • External code execution via authentication and authentication bypass
  • Bypass authentication via misconfigured permissions allows global administrator access
  • Command injection via unsanitary file name argument
  • External code execution via Leaked Secret and Exposed Administrator Tool
  • Memory Leak leads to employee and user account compromise that gives access to various internal applications
  • Vertica SQL Injection via Uananitized Input Parameter
  • Wormable Stored XSS allows the attacker to completely compromise the victim’s iCloud account
  • Wormable Stored XSS allows the attacker to completely compromise the victim’s iCloud account
  • Full Response SSRF allows the attacker to read internal source code and access protected resources
  • Blind XSS gives attacker access to internal support portal for tracking customer and employee issues
  • PhantomJS Runtime server side gives attacker access to internal resources and retrieves AWS IAM keys

Apple immediately resolved the vulnerabilities after Curry reported them over a three-month period, often within hours of his initial counseling. The company has so far addressed about half of the vulnerabilities and committed to pay $ 288,500 for them. Once Apple has processed the rest, Curry said, the total payout could exceed $ 500,000.

“If the issues were used by an attacker, Apple would have faced massive information leaks and loss of integrity,” Curry said in a chat a few hours after posting a 9,200-word caption. We hacked Apple for 3 months: Here’s what we found. “For example, attackers will have access to the internal tools used to manage user information and in addition be able to modify the systems so that they work as intended by hackers.”

Curry said the hacking project was a joint venture that also included other researchers:

Two of the worst

Among the most serious risks were those that constituted a stored script vulnerability across websites (usually abbreviated as XSS) in JavaScript parsers used by the servers at www.iCloud.com. Because iCloud provides services to Apple Mail, the error can be exploited by sending someone with an iCloud.com or Mac.com address an email that contained malicious characters.

The target just needs to open the email to be hacked. When that happened, a script that was hidden inside the malicious email allowed the hacker to perform all the actions the target could have when opening iCloud in the browser. Below is a video showing a proof-of-concept exploit that sent all the target photos and contacts to the attacker.

Proof of concept

Curry said the stored XSS vulnerability was wormy, meaning it could spread from user to user when they do nothing more than open the malicious email. Such a worm would have worked by including a script that sent a similarly designed email to each iCloud.com or Mac.com address in the victims’ contact list.

A separate vulnerability, on a website reserved for Apple Distinguished Educators, was the result of assigning a default password – “### INvALID #%! 3” (not including quotes) – when someone submitted an application containing a username , first and last name, e-mail address and employer.

“If someone had searched using this system and the existing functionality where you could manually authenticate, you could just log in to their account using the default password and completely bypass the ‘Log in with Apple’ login,” Curry wrote.

Finally, the hackers managed to use brute force to predict a user named “erb”, and with it, manually log in to the user’s account. The hackers then continued to log in to several other user accounts, one of which had “core administrator” privileges on the network. The image below shows the Jive console, which is used to run online forums, as they saw it.

With interface control, hackers could execute arbitrary commands on the web server that control the ade.apple.com subdomain and access internal LDAP service that stores user account credentials. With that, they could have gained access to much of Apple’s remaining internal network.

Freaker out

In total, the Curry team found and reported 55 vulnerabilities with a severity of 11 critical, 29 high, 13 medium and two low. The list and dates they were found are listed in Curry’s blog post, which is linked above.

As the list above makes clear, the hacks described here are just two of a long list Curry and his team were able to complete. They performed them under Apple’s bug bounty program. Curry’s post said that Apple paid a total of $ 51,500 in exchange for private reports of four vulnerabilities.

As I was reporting and writing this post, Curry said he received an email from Apple informing him that the company was paying an additional $ 237,000 for 28 other vulnerabilities.

“My reply to the email was: ‘Wow! I’m in a strange state of shock right now, ” Curry told me. “I have never been paid so much at once. Everyone in our group is still a little freaking out. ”

He said he expects the total payout to exceed $ 500,000 when Apple digests all the reports.

An Apple representative issued a statement saying:

At Apple, we carefully protect our networks and have dedicated teams of information security professionals working to detect and respond to threats. As soon as the researchers notified us of the problems they describe in the report, we immediately resolved the vulnerabilities and took steps to prevent future problems of this type. Based on our logs, the researchers were the first to detect the vulnerabilities, so we feel confident that no user data was misused. We value our collaboration with security researchers to keep users safe and have credited the team for their help and will reward them from the Apple Security Bounty program.

Source link