A group of hackers has been awarded nearly $300,000 by Apple for discovering 55 vulnerabilities in the company’s systems.
The group, including four members-Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes spent three months hacking Apple platforms and services to discover the vulnerabilities. They discovered 55 vulnerabilities with 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity reports.
These security bugs permitted the programmers to invade Apple’s centre framework which may permit them to access the company’s private information.
Apple has paid $288,500 to the team for processing more than half of the vulnerabilities. One of the team members, Sam Curry said that the total payout might surpass $500,000 after Apple would pay them the rest.
“During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources,” the hackers said.
“If the issues were used by an attacker, Apple would’ve faced massive information disclosure and integrity loss,” Curry said in an online chat a few hours after posting a 9,200-word writeup titled We Hacked Apple for 3 Months: Here’s What We Found. “For instance, attackers would have access to the internal tools used for managing user information and additionally be able to change the systems around to work as the hackers intend.”
The hackers performed the task under Apple’s bug-bounty program. Sam Curry gave a statement saying, "This was surprising to me as I previously understood that Apple’s bug bounty program only awarded security vulnerabilities affecting their physical products and did not payout for issues affecting their web assets.”
As part of Apple’s Security Bounty Program, the group received considerable payments for some of their work. On Sunday, October 4, the team had received four payments totalling $51,500. That included $5,000 for revealing the full name of iCloud users, $6,000 for finding IDOR vulnerabilities, $6,500 for access to internal corporate environments, and $34,000 for discovering system memory leaks containing customer data.
Apple has been very active in investing in its bug bounty program since last year. Security researchers now have the chance to receive up to one million dollars per vulnerability based upon the nature and degree of the bug.
Disclaimer: The news on the Website have been compiled from a variety of sources and cannot vouch for the veracity of the stories.
