Date:09/10/20
Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes spent three months hacking Apple platforms and services to discover a range of weaknesses. The 55 vulnerabilities the team discovered were of varying severity, with some being critical.
During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.
Apple apparently was swift to address the majority of the vulnerabilities, with some being resolved in as little as a few hours.
Overall, Apple was very responsive to our reports. The turn around for our more critical reports was only four hours between time of submission and time of remediation.
As part of Apple's Security Bounty Program, the group was able to receive considerable payments for some of their work. As of Sunday, October 4, they had received four payments totaling $51,500. This included $5,000 for disclosing the full name of iCloud users, $6,000 for finding IDOR vulnerabilities, $6,500 for access to internal corporate environments, and $34,000 for discovering system memory leaks containing customer data.
Since no-one really knew much about their bug bounty program, we were pretty much going into unchartered territory with such a large time investment. Apple has had an interesting history working with security researchers, but it appears that their vulnerability disclosure program is a massive step in the right direction to working with hackers in securing assets and allowing those interested to find and report vulnerabilities.
Apple has been actively investing in its bug bounty program since last year. Security researchers can now receive up to one million dollars per vulnerability depending on the nature and severity of the security flaw.
With the permission of Apple's security team, the group has published an extensive report which details a range of vulnerabilities and methods of locating and exploiting weaknesses. They also hinted that additional bounties may be on the way.
Hackers discover 55 Apple vulnerabilities, awarded over $50,000 in bounties
A group of hackers has been awarded over $50,000 by Apple for discovering 55 vulnerabilities in the company's systems.Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes spent three months hacking Apple platforms and services to discover a range of weaknesses. The 55 vulnerabilities the team discovered were of varying severity, with some being critical.
During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.
Apple apparently was swift to address the majority of the vulnerabilities, with some being resolved in as little as a few hours.
Overall, Apple was very responsive to our reports. The turn around for our more critical reports was only four hours between time of submission and time of remediation.
As part of Apple's Security Bounty Program, the group was able to receive considerable payments for some of their work. As of Sunday, October 4, they had received four payments totaling $51,500. This included $5,000 for disclosing the full name of iCloud users, $6,000 for finding IDOR vulnerabilities, $6,500 for access to internal corporate environments, and $34,000 for discovering system memory leaks containing customer data.
Since no-one really knew much about their bug bounty program, we were pretty much going into unchartered territory with such a large time investment. Apple has had an interesting history working with security researchers, but it appears that their vulnerability disclosure program is a massive step in the right direction to working with hackers in securing assets and allowing those interested to find and report vulnerabilities.
Apple has been actively investing in its bug bounty program since last year. Security researchers can now receive up to one million dollars per vulnerability depending on the nature and severity of the security flaw.
With the permission of Apple's security team, the group has published an extensive report which details a range of vulnerabilities and methods of locating and exploiting weaknesses. They also hinted that additional bounties may be on the way.
Views: 228
©ictnews.az. All rights reserved.Similar news
- Cellphone Use May Raise Cancer Risk
- Australian police pushes cyber safety education
- Vietnam aims to lead in e-government
- Senate Website Gets Hacked
- US builds net for cyber war games
- Japan enacts anti-computer virus law
- India passes law vs e-waste
- Anonymous Declares War On The City Of Orlando
- Microsoft highlights evolving dangers as online identity data proliferates
- Consumers want internet security to be provided by banks
- Government facilities targets of cyber attack
- South Korean web attacks might been war drill
- Sri Lanka to Establish National Passport Database to Increase Border Security
- Hi-tech crime agencies set to employ information security professionals
- Phone hacking and online campaign bring down the News of the World