A group of hackers has been paid $288,500 by apple for findingĀ a slew of vulnerabilities including one that would allow hackers to steal files from people’s iCloud accounts.
They were operating as “white hat” hackers, meaning their goal was to alert Apple to the vulnerabilities rather than to steal information. The team was led by 20-year-old Sam Curry.
Ā Curry said that once Apple processes and rewards all of the bugs the group reported, their total payment may exceed $500,000.
“I had never worked on the Apple bug bounty program so I didn’t really have any idea what to expect but decided why not try my luck and see what I could find,” Curry said in the blog post.
“Even though there was no guarantee regarding payouts nor an understanding of how the program worked, everyone said yes, and we began hacking on Apple.”
One of the most egregious vulnerabilities that the group found would have allowed hackers to build a worm that steals people’s iCloud files before infecting the iCloud accounts of their contacts.
The vulnerability hinges on the fact that Apple Mail is supported by iCloud the white hat hackers were able to compromise iCloud accounts after sending an email to an iCloud.com email address that contained malicious code.
Apple patched all of the vulnerabilities shortly after they were reported, Curry said.
In the process of seeking out the bugs, Curry and his team gained insight in the massive scale of Apple’s online infrastructure. Apple owns more than 25,000 web servers, which fall under Apple.com, iCloud.com, and over 7,000 other unique domains, the researchers found. Many of the vulnerabilities were discovered by searching through obscure web servers owned by Apple.
Cybersecurity experts who reviewed the research by Curry’s team said that, while some of the severe vulnerabilities are concerning, they reflect inherent challenges that should be expected for a company maintaining such huge online infrastructure.
“The breadth of issues identified within the vast Apple online presence … actually is more evidence of how difficult it is to keep on top of all security issues as organisations grow than a negative reflection of any security practices within Apple,” Tim MackeyĀ told Business Insider.
READ MORE
- Apple is expected to launch the iPhone 12 next week at its most important event of the year.
- Apple (AAPL) announced 4-for-1 forward stock split.Hereās What It Means for Investors.
- Apple’s newest iPhone feature aims to replace the car key
- Apple is expected to release four iPhone models this year
In a statement to Business Insider, Apple said it appreciated the white hat hackers’ work, adding that the vulnerabilities have been patched and there’s no evidence they were exploited by malicious actors.
“At Apple, we vigilantly protect our networks and have dedicated teams of information security professionals that work to detect and respond to threats. As soon as the researchers alerted us to the issues they detail in their report, we immediately fixed the vulnerabilities and took steps to prevent future issues of this kind,” the Apple spokesperson said.
“We value our collaboration with security researchers to help keep our users safe and have credited the team for their assistance and will reward them from the Apple Security Bounty program.”
