A team of five ethical hackers finds a total of 55 vulnerabilities in Apple Services with 11 critical ones. Revealed security vulnerabilities that have been reported over a period of three months. Moreover, the group of white-hat hackers has quickly won a total of US$ 288,500 in rewards under Apple’s bug bounty scheme. And even that might not be the final total, as these are cash incentives for just 32 flaws.
The first step in hacking Apple was to find out what to actually hit. Ben and Tanner started to find out what all Apple-owned and what was available for them to start on finding vulnerabilities.
Some of the vulnerabilities identified directly from automated scanning.
White hat group found a number of flaws in the key parts of Apple’s infrastructure. This would have helped the intruder to completely compromise both the employee’s and customers’ demands. They can also unleash a worm that can automatically take over a victim’s iCloud account and retrieve source code for internal Apple ventures. Moreover, corrupt the industrial automation warehouse program used by Apple. Take over the sessions of Apple staff with an ability to access management tools and sensitive resources
The team used a combination of the Common Vulnerability Scoring System (CVSS) to determine the seriousness of the defects. They also know how much business-related impact the bugs will have. There are two bugs that stand out among the flaws in particular. The remote code execution (RCE) vulnerability that could cause the Apple Distinguished Educators software to be completely compromised. And a wormable cross-site scripting (XSS) vulnerability that could allow a threat actor to steal iCloud Data.
In the case of the former, the application could be completely compromising by a threat actor that successfully circumvents authentication and has access to the administration console. This would have allowed the intruder to execute arbitrary commands on the ade.apple.com webserver. Access the Lightweight Directory Access Protocol (LDAP) internal service for managing user accounts. While much of Apple’s internal network is accessing, according to white hats.
The researchers were also able to put together a proof-of-concept to show how a hacker could theoretically exploit the wormable XSS gap. The assault involves modifying the Cascading Style Sheets tag that will be submitted to an iCloud email address. The intruder might secretly collect all the data the victim stored on their iCloud including photographs, videos, and documents, as well as the dissemination of malicious emails to those on the victim’s contact-list.
Apple responded quickly to the bug reports and fixed almost all of the reported bugs within a very little time frame. Overall, Apple has been very sensitive to reports, Curry said in a blog post. Curry also added that they received 32 payments totaling $288,500 issuing on October 8th for various flaws. The number may be higher as Apple prefers to pay in different batches, so the hackers expect further payments in the coming months. Apple’s public bug bounty program, which is available to all interested bug hunters. Last December, the organization opened a historically private initiative to the public. Those who argue that the company needs to be more transparent about hardware and software defects. It also contained a maximum payment of $1 million to sweeten the offer.
Group of Hackers have obtained permission from the Apple Security Team to publish descriptions of critical vulnerabilities, all of which have been patched and retested. The results are a disturbing reminder that even the biggest tech corporations greatly underestimate the security of their web application.
Did you know that more than 46% of cyberattacks are directed at companies with fewer than 1000…
Digitalization has both pros and cons. However, one of the major disadvantages that each of…
The concept of machine learning is completely changing the world and revolutionizing various sectors. But…
Did you know that in the year 2023, around 353 million faced digital breaches that could potentially…
How safe is your internet browsing experience? In a world where cyberattacks have become common,…
With the penetration of cyber threats every minute, cybersecurity has become critical in the personal…
TheEncrypt uses cookies.