A group of ethical hackers cracked open Apple’s infrastructure and systems and, over the course of three months, discovered 55 vulnerabilities, a number of which would have given attackers complete control over customer and employee applications.
Of note, a critical, wormable iCloud account takeover bug would allow attackers to automatically steal all of a victim’s documents, photos, videos and more.
The discovery by hackers Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes demonstrated key weaknesses in the company’s “massive” infrastructure while it also earned the team nearly $300,000 to date in rewards for their efforts, Curry wrote in an extensive blog post detailing the team’s findings.
Among the flaws found in core portions of Apple’s infrastructure includes ones that would have allowed an attacker to: “fully compromise both customer and employee applications; launch a worm capable of automatically taking over a victim’s iCloud account; retrieve source code for internal Apple projects; fully compromise an industrial control warehouse software used by Apple; and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources,” he wrote.
Of the 55 vulnerabilities discovered, 11 were rated with critical severity, 29 with high severity, 13 with medium severity and two with low severity. Researchers rated the bugs based on the CvSS vulnerability-severity rating, and “our understanding of the business-related impact,” Curry said.
The wormable iCloud bug is a cross-site scripting (XSS) issue, according to the writeup. iCloud is an automatic storage mechanism for photos, videos, documents, and app related data for Apple products. Additionally, this platform provides services like Mail and Find my iPhone.
“The mail service is a full email platform where users can send and receive emails similar to Gmail and Yahoo,” explained Curry. “Additionally, there is a mail app on both iOS and Mac which is installed by default on the products. The mail service is hosted on www.icloud.com alongside all of the other services like file and document storage.”
He added, “This meant, from an attackers perspective, that any cross-site scripting vulnerability would allow an attacker to retrieve whatever information they wanted to from the iCloud service.”
He discovered such a bug after hunting around for a while: “When you had two style tags within the email, the contents of the style tags would be concatenated together into one style tag,” he said. “This meant that if we could get ‘</sty’ into the first tag and ‘le>’ into the second tag, it would be possible to trick the application into thinking our tag was still open when it really wasn’t.”
The team was ultimately able to create a proof of concept that demonstrated code that steals all of the victim’s personal iCloud information (photos, calendar information and documents) then forwards the same exploit to all of their contacts.
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, said that the success of the bounty-hunters should be a wake-up call.
“Unfortunately, there is no warranty that these vulnerabilities have not been exploited by sophisticated threat actors to silently compromise VIP victims,” he said via email. “Worse, likely more similar vulnerabilities exist undiscovered and may be known to hacking groups that make a lot of money by their exploitation. Modern web applications open the door to corporate networks with the most critical information, and their breach can be fatal for a company.”
Apple Response and $300K
For its part, Apple responded quickly to the bug reports, fixing the majority of them by the time the post went live, with typical remediation upon learning of the flaws occurring within one to two business days, and response to some critical vulnerabilities within as little as four to six hours, he acknowledged.
“Overall, Apple was very responsive to our reports,” Curry said, adding that, “as of now, October 8th, we have received 32 payments totaling $288,500 for various vulnerabilities.” That number could go higher as Apple tends to pay in “batches,” so the hackers anticipate more payments in the coming months, he said.
Apple’s public bug-bounty program – in which all interested parties can participate – is a fairly recent affair. The company opened up a historically private program to the public last December after years of criticism from developers, who argued that the company needed to be more transparent about flaws in its hardware and software. It also included a $1 million maximum payout to sweeten the deal.
Indeed, Curry – who calls himself a full-time bug-bounty hunter – said he was inspired to assemble the team of hackers to peer under the hood of Apple’s infrastructure after learning on Twitter of a researcher’s award of $100,000 from Apple for discovering an authentication bypass that allowed for arbitrary access any Apple customer account.
“This was surprising to me, as I previously understood that Apple’s bug bounty program only awarded security vulnerabilities affecting their physical products and did not payout for issues affecting their web assets,” he wrote.
Once he found out that Apple was willing to pay for vulnerabilities “with significant impact to users” regardless of whether or not the asset was explicitly listed in scope, it was game on, he said.
“This caught my attention as an interesting opportunity to investigate a new program which appeared to have a wide scope and fun functionality,” Curry wrote in the post. He decided to invite hackers he’d worked with in the past on the project, even though everyone on board knew there was no guarantee of payouts for their discoveries.
The critical vulnerabilities the team discovered in their work are the following: Full Compromise of Apple Distinguished Educators Program via Authentication and Authorization Bypass; Full Compromise of DELMIA Apriso Application via Authentication Bypass; Wormable Stored Cross-Site Scripting Vulnerabilities Allow Attacker to Steal iCloud Data through a Modified Email; Command Injection in Author’s ePublisher; Full Response SSRF on iCloud allows Attacker to Retrieve Apple Source Code; Nova Admin Debug Panel Access via REST Error Leak; AWS Secret Keys via PhantomJS iTune Banners and Book Title XSS; Heap Dump on Apple eSign Allows Attacker to Compromise Various External Employee Management Tools; XML External Entity processing to Blind SSRF on Java Management API; GBI Vertica SQL Injection and Exposed GSF API; Various IDOR Vulnerabilities; and Various Blind XSS Vulnerabilities.
The hackers received permission from the Apple security team to publish details on the critical bugs, all of which have been fixed and re-tested, Curry said.
The findings are an alarming reminder that even the largest tech companies considerably underestimate their web application security, according to Kolochenko.
“Most organizations merely invest into some automated scanning tools and recurrent penetration testing but without implementing a comprehensive application security program,” he said. “Such a program shall include regular secure coding trainings for software developers, introducing security controls aimed to detect vulnerabilities at the early stage of development – the so-called ‘shift-left’ approach – and providing strict security guidelines for software developed by third-parties. Finally, modern software shall incorporate privacy by design to enable seamless compliance with regulations like CCPA or GDRP.”
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.