After learning about Apple’s Bug Bounty program, a group of security researchers – Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes – worked together and hacked Apple from July 6, 2020 to October 6, 2020. Here’s what they found.
During our engagement, we found a number of vulnerabilities in core areas of the infrastructure that would have allowed an attacker to compromise both customer and employee applications, launch a worm that could automatically take over the victim’s iCloud account, retrieve the source code for internal Apple projects, fully compromise an industrial control software used by Apple, taking over the sessions of Apple employees with the ability to access management tools and sensitive resources.
A total of 55 vulnerabilities were detected with 11 critical severity, 29 high severity, 13 medium severity and 2 reports of low severity. These severities were assessed by us for summary purposes and depend on a mix of CVSS and our understanding of the business-related effect.
As of October 6, 2020, the vast majority of these findings have been resolved and credited. They were usually repaired within 1-2 business days (where some were resolved in as little as 4-6 hours).
As of October 4, we have received four payments totaling $ 51,500 … However, it appears that Apple is paying in batches and is likely to pay for more of the issues in the coming months.
MacDailyNews Take: Thanks to hackers like these guys, Apple’s products, systems and services are even more secure!
There are tons more, including more vulnerability write-ups, throughout the article.[Attribution: AppleInsider. Thanks to MacDailyNews Readers “Fred Mertz” and “Brawndo Drinker” for the heads up.]