Five bag $300,000 in bug bounties after finding 55 security holes in Apple's web apps, IT infrastructure

A team of vulnerability spotters have netted themselves a six-figure payout from Apple after discovering dozens security holes in the Cupertino giant's computer systems, some of which could have been exploited to steal iOS source code, and more.

Brett Buerhaus, Ben Sadeghipour, Samuel Erb, Tanner Barnes, and Sam Curry this week said that of the 55 bugs they uncovered, 11 were rated as critical, 29 were high-severity, 13 were medium, and two were considered low risk.

We're told it took them about three months to discover the flaws in Apple's IT infrastructure, and having privately reported their findings to the iGiant, they bagged bug-bounty rewards totaling $288,500 or more – Curry told us the money is still rolling in from Cupertino – which works out to an average of $19,233 each per month. The final split will be on the basis of individual bugs found, though it will be close to even.

"We're splitting everything up based on contribution to each bug," Curry told us. "We've kept track of who has spent time on what, and split everything that way. So far it's close to even because everyone has contributed very similar amounts."

We're splitting everything up based on contribution to each bug

It's understood Apple is still working to address some of the reported bugs; the "vast majority" of the flaws have been solved, though. As such, only a few of the security blunders have been documented publicly by the team.

Curry said the group decided to target Apple's public-facing networks in July, a few weeks after seeing the story of Bhavuk Jain, who earned $100,000 for finding a bug in Apple's customer sign-in system.

This prompted them to case Apple's outward-facing IT infrastructure and its websites. They collected details on some 25,000 web servers and 7,000 domains within Apple's huge 17.0.0.0/8 IPv4 address range. The team decided to focus on that IPv4 block, which included icloud.com and 10,000 apple.com servers, as those services seemed to have the most potential.

The crew enumerated, by brute force, the directories on those web servers, which uncovered information that led them to 22 VPN servers vulnerable to Cisco's CVE-2020-3452 file-leaking bug, and a flaw that exposed Spotify access tokens within error messages. That Cisco bug could be exploited to log in as a user and impersonate them on the network.

"The information obtained by these processes were useful in understanding how authorization/authentication worked across Apple, what customer/employee applications existed, what integration/development tools were used, and various observable behaviors like web servers consuming certain cookies or redirecting to certain applications," explained Curry.

"After all of the scans were completed and we felt we had a general understanding of the Apple infrastructure, we began targeting individual web servers that felt instinctively more likely to be vulnerable than others."

At that point, it was a matter of hammering away at the various web applications they found. Among the more interesting findings was a cross-site scripting flaw in the iTunes Banner Builder that could be exploited to steal the secret EC2 and IAM keys for some AWS-hosted Apple servers.

The team also demonstrated a brute-force takeover of the Apple Distinguished Educators portal using an exposed default password that let anyone who knew an admin account name to seize control of the underlying Jive application.

Apple's iOS source code could have potentially been accessed from its Maven repository via a server side request forgery vulnerability in iCloud. Curry said the flaw could also be exploited to delve deeper into Apple's internal network. That infrastructure was also accessible via a REST error leak that granted access to Apple's Nova debug panel.

Not surprisingly, Apple was rather open to hearing about and fixing the flaws. Curry said the security team was rather easy to deal with. That tends to happen when you find dozens of flaws in a company's internal services.

"Overall, Apple was very responsive to our reports," he noted. "The turn around for our more critical reports was only four hours between time of submission and time of remediation." ®