Five security researchers worked on Apple’s infrastructure for three months and discovered a total of 55 security vulnerabilities.
In his blog, security expert Sam Curry, who discovered the gaps together with security researchers Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes, explains these security vulnerabilities on the Apple network could have not only compromised the accounts of employees but also of Apple’s customers.
“If the issues were used by an attacker, Apple would’ve faced massive information disclosure and integrity loss. For instance, attackers would have access to the internal tools used for managing user information and additionally be able to change the systems around to work as the hackers intend.” — said Curry to the online magazine Ars Technica.
The flaws were reported in the last three months and were promptly closed by Apple, sometimes within hours. So far, Apple has processed about half of the vulnerabilities and committed to paying $288,500 for them, and the bounty could total over $500,000, explains Curry.
Two Dangerous Security Vulnerabilities:
A particularly serious security flaw was in Apple’s cloud and mail service iCloud. If the victim opened a prepared email, the hacker could carry out a cross-site scripting attack (XSS) and read the personal information of the person concerned from the cloud — including the photos, documents and calendar stored there — and by email send to yourself. The security researchers show their attack in a proof-of-concept video.
The security researchers discovered another security gap in Apple’s Distinguished Educators Program, a teacher forum that can only be entered by invitation. If teachers had applied via a form on the website and entered their username, name, and email address, Apple assigned them the standard password “#### INVALID #%! 3” via a hidden password field. With this access data, third parties could then log in, bypassing the Apple login function.
The security researchers managed to find out the username “erb” by simple trial and error (brute force) and able to log in manually with the password. There they could find out the names of users with administrator rights from a user list and log in as them. In the end, it was possible to execute code using the application’s plug-in function and access the internal LDAP service for user account management. With the latter, access to a large part of Apple’s internal network was possible, writes Curry.
These vulnerabilities are part of a long list of vulnerabilities that made it possible, for example, to access internal source code and other protected resources or the support portal, which can be used to track customer and employee problems. The security researchers were even able to copy AWS keys.