Posted on October 9, 2020 at 4:06 PM
A team of security researchers recently discovered 55 bugs in Apple after spending three months hacking Apple’s system.
After the report of the vulnerability was disclosed to Apple by the researchers, the company compensated them with bounty payments totaling more than $50,000.
Apple is running a bug bounty program that offers rewards to security researchers for their effort in discovering vulnerabilities in their systems.
However, one of the researchers, Sam Curry, thought that the bounty program was only for vulnerabilities affecting physical products like iPhone.
However, Curry noticed in July that Apple also offered bounty payments for web infrastructure as well. Based on the statement available on Apple’s bug bounty program page, the bounty program is available when the bug would have impacted users. After discovering Apple’s program includes web infrastructure, he called other white hackers, Tanner Barnes, Samuel Erb, Ben Sadeghipour, and Brett Buerhaus, and started looking into Apple’s systems.
After scanning the company’s systems and testing different exploits for three months, the security researcher discovered 55 vulnerabilities within the Apple web infrastructure.
29 of the bugs were considered high severity while 11 others were ranked as critical.
“During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure,” the researchers revealed.
According to them, the vulnerability could have enabled hackers to exploit and compromise both employee and customer applications. Hackers, upon access to the system, could plant a worm that can take control of the victim’s cloud account.
The team did not completely disclose full details of their findings for security purposes. However, Curry revealed some of the vulnerabilities.
If the researchers have disclosed details of the vulnerabilities, it would have compromised Apple’s Distinguished Educators program, allowing hackers to steal iCloud data through email and other phishing methods. Another discovered vulnerability would have given hackers the chance to infiltrate Apple’s warehousing system and internal inventory.
The research team was permitted to publish information
The research team also said Apple permitted them to publish their findings of the vulnerabilities, as they have received complete support over any activity about the findings.
The research team reiterates that all the vulnerability details revealed to the public have been fully tested and fixed, and users should not disclose information about Apple’s security without getting permission from the company.
The security researchers also revealed they didn’t have enough information about Apple’s bounty program and weren’t expecting such a bounty payment after their findings.
Apple’s security team was responsive
Curry also said the security team of the company was very responsive throughout the period. After the security researchers disclosed their findings to Apple’s security team, the vulnerability was fixed within two business days, while some were even fixed a few hours after receiving reports.
By October 4, Apple had already paid $51,500 to the team of researchers for some of the vulnerabilities they discovered. The company has promised to send more bounty payments for more critical vulnerabilities the researchers have discovered.
Apple’s bounty program offers better infrastructure security
For months, the corporate network of the tech giant has been at risk of hacking attempt that would have stolen sensitive data from millions of customers, and plant malicious codes on their computers and phones. But the bounty program has helped to trace many vulnerabilities that could potentially lead to a cyberattack on the firm and its customers.
Apple’s bounty program is relatively well known among security researchers. Although the company has been working closely with security researchers, the company has taken its relationship with researchers a step further with this bounty program.
The bounty program has also helped the tech giant provide better security for its web infrastructure and other physical products. It has also engineered other companies to offer similar programs since it’s far less expensive to offer rewards than getting entangled with ransom payments if hackers infiltrate the system.