Apple has a bug bounty program in place, including a public one it launched last year. This means Apple will pay out money to individuals and groups who discover vulnerabilities in its software, from iOS to macOS.
Which is what a small group of hackers have done, earning themselves over $50,000 for their work over three months. The group includes Sam Curry, Ben Sadeghipour, Samuel Erb, Tanner Barnes, and Brett Buerhaus. With permission from Apple’s security team, Curry was able to publish a blog post detailing the discovered vulnerabilities, which includes 55 discovered so far.
First and foremost, as noted by Curry in the blog post, the majority of the issues that the hackers discovered have been patched by Apple as of this week.
During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.
There were a total of 55 vulnerabilities discovered with 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity reports. These severities were assessed by us for summarization purposes and are dependent on a mix of CVSS and our understanding of the business related impact.
As of October 6th, 2020, the vast majority of these findings have been fixed and credited. They were typically remediated within 1-2 business days (with some being fixed in as little as 4-6 hours).
As far as the money earned, it’s not a terrible payout. The group of hackers earned $51,500 in total, over the course of three months and four payouts. According to Curry the group earned $5,000 for being able to determine the full name of iCloud users, and another $6,000 for discovering IDOR vulnerabilities. The biggest payout for the group was $34,000 for discovering system memory leaks that included customer data within.
Last year, Apple increased payouts for its bug bounty program, while also rolling out the program for macOS. At the time, it was noted that hackers could get up to $1 million for discovering some vulnerabilities, depending on their severity.
You can check out Curry’s full breakdown of the vulnerabilities discovered on his blog.