Home / Mac / If Apple can’t get the basics right, how can you expect security? – “We hacked Apple for 3 months: Here is what we found”

If Apple can’t get the basics right, how can you expect security? – “We hacked Apple for 3 months: Here is what we found”



Apple can not understand the basics.

But security is one of the most difficult challenges in software development – far more difficult than regular features.

Between July 6 and October 6, I, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes worked together and hacked the Apple bug bounty program.

During our engagement, we found a number of vulnerabilities in core areas of the infrastructure that would have allowed an attacker to compromise both customer and employee applications, launch a worm that could automatically take over the victim’s iCloud account, retrieve the source code for internal Apple projects, fully compromise an industrial control software used by Apple, taking over the sessions of Apple employees with the ability to access management tools and sensitive resources.

A total of 55 vulnerabilities were detected 1

1 critical severity, 29 high severity, 13 medium severity and 2 reports of low severity. These severities were assessed by us for summary purposes and depend on a mix of CVSS and our understanding of the business-related effect.

As of October 6, 2020, the vast majority of these findings have been resolved and credited. They were usually repaired within 1-2 business days (where some were resolved in as little as 4-6 hours).

MPG: should give some pause. Then consider government actors.


Source link