A group of hackers spent months targeting Apple’s extensive online infrastructure and found a number of vulnerabilities. Including one that would have allowed hackers to steal files from people’s iCloud accounts.
They acted as “white hat” hackers, meaning their purpose was to alert Apple to vulnerabilities, rather than stealing information. The team was led by 20-year-old Sam Curry, who worked with Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes.
“I had never worked on the Apple Bug Rewards program, so I had no idea what to expect, but I decided to try my luck and see what I could find,” Curry said in a statement. blog post. “Even though there was no guarantee of payments and no understanding of how the program worked, everyone agreed and we started hacking Apple.”
Apple paid the group has so far raised $ 288,500 through its bug fix program in exchange for revealing 55 vulnerabilities, 11 of which have been labeled “severe.” Curry said that once Apple processes and rewards all errors reported by the group, their total payment can exceed $ 500,000.
One of the most egregious vulnerabilities discovered by the group allegedly allowed hackers to build a “worm” that steals people’s iCloud files before infecting their contacts’ iCloud accounts. The vulnerability depends on the fact that Apple Mail is supported by iCloud. Hackers managed to compromise iCloud accounts after sending an email to an iCloud.com address that contained malicious code.
Apple fixed all the vulnerabilities shortly after they were reported by hackers
In the process of finding errors, Curry and his team gained insight into the massive scale of Apple’s online infrastructure. The researchers found that Apple has more than 25,000 web servers, which fall under Apple.com, iCloud.com and more than 7,000 other unique domains. Many of the vulnerabilities were discovered by searching through Apple’s obscure web servers, such as its website Distinguished Educators.
Cybersecurity experts who analyzed Curry’s research said that while some of the severe vulnerabilities were worrisome, they reflected the inherent challenges that are expected of a company that maintains such a large online infrastructure.
“The density of issues identified in Apple’s vast online presence is, in fact, more evidence of how difficult it is to keep all security issues as organizations grow, than a negative reflection of any Apple security practices.” said Tim Mackey, the chief security strategist of Synopsys Cybersecurity Research Center, for Business Insider.
In a statement to Business Insider, Apple said it appreciated the work of the hackers, adding that the vulnerabilities had been fixed and that there was no evidence that they were being exploited by malicious individuals.
“At Apple, we carefully protect our networks and have dedicated teams of information security professionals who work to detect and respond to threats. As soon as the team alerted us to the issues they detail in their report, we immediately fixed the vulnerabilities and took steps to prevent future such issues, “said the Apple spokesman. “We appreciate our collaboration with security researchers to keep our users safe, and we have credited the team for their support and will reward them with the Apple Security Bounty program.”