Sign in / up

back to article Five bag $300,000 in bug bounties after finding 55 security holes in Apple's web apps, IT infrastructure

A team of vulnerability spotters have netted themselves a six-figure payout from Apple after discovering dozens security holes in the Cupertino giant's computer systems, some of which could have been exploited to steal iOS source code, and more. Brett Buerhaus, Ben Sadeghipour, Samuel Erb, Tanner Barnes, and Sam Curry this …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. RM Myers
    Happy

    Good job Apple

    Not for the vulnerabilities obviously, but for their follow up action and paying the bug finders. So many of the El Reg stories involve companies downplaying the vulnerabilities, stalling until they are publicly released (and then telling how much they value ...), or even suing the people reporting the bug, e.g., https://www.theregister.com/2015/09/12/roundup_android_fireeye_impero

    People acting responsibly in 2020 - who would have thunk it.

    18 0 Reply
  2. YetAnotherJoeBlow

    Hindsight

    Maybe now they will hire that blue team...

    0 0 Reply
    1. DS999 Silver badge
      Reply Icon

      Re: Hindsight

      Would that really make sense in the long run? It seems to me you want the guys trying to break into your system to be outsiders who also work with other companies so they are exposed to the wide variety of systems and flaws, and learn more new techniques that way.

      1 0 Reply
      1. iron Silver badge
        Reply Icon

        Re: Hindsight

        No. Outsiders could use the exploits they find for nefarious purposes. I want an internal team (or third-party hired team) to spot these exploits before they go live in a public facing environment. As it stands Apple have closed the stable door but have no idea if the horse bolted before they did.

        0 2 Reply
  3. Dave 126 Silver badge

    This story makes a good counterpart to the Reg article:

    'Want to set up a successful bug bounty? Make sure you write it for the flaw finders and not the lawyers' -https://www.theregister.com/2020/10/08/cisa_bug_bounty_panel/

    This team started their search for vulnerabilities in Apple's systems without reading any detailed bug bounty documents from Apple - they'd just followed the story of a previous hacker who was awarded $100,000 by Apple, and thought they'd give it a go in good faith. They also noted that it started as a side project for them, but Covid lockdown left them with a lot more time on their hands. Their write-up (linked in this Regard article) is well worth a read ( or at least a slim, it's detailed! ), and it was published with the blessing of Apple's security team

    4 0 Reply
  4. Anonymous Coward
    Anonymous Coward

    And nobody at Apple spotted this massive attacks on their systems?

    I believed this was a pen test ordered by Apple, but it they worked on their own and Apple didn't spot the "brute force" to identify directories and other actions, they have far more to fix....

    1 0 Reply
    1. DS999 Silver badge
      Reply Icon

      Re: And nobody at Apple spotted this massive attacks on their systems?

      Any big company the size of Apple probably has tons of brute force attack attempts, people trying to DoS them or whatever and so forth so as long as these guys weren't hammering thousands of packets per second they were probably below the noise floor.

      1 0 Reply
      1. Stuart Castle Silver badge
        Reply Icon

        Re: And nobody at Apple spotted this massive attacks on their systems?

        I should imagine, with 25,000 webservers (and God know how many other servers that may be publicly accessible), they likely get a lot of attacks with all methods.

        1 0 Reply
        1. pop_corn
          Reply Icon

          Re: And nobody at Apple spotted this massive attacks on their systems?

          I would imagine they get millions of hack attempts every day.

          My insignificant little wordpress blog was hacked 3 times in 3 years before I figured a fool proof way of locking it down (putting a .htaccess file in the wp-admin directory to block all ip addresses except my own).

          But last time I looked, the site was still getting attacked dozens of times a day. So often that I have to sporadically clear out the error_log as it grows and grows due to hack attempts.

          2 0 Reply
  5. low_resolution_foxxes

    "using an exposed default password that let anyone who knew an admin account name to seize control of the underlying Jive application"

    Call me cynical, but I find it hard to imagine this was an accident. It has backdoor written all over it.

    0 0 Reply
    1. iron Silver badge
      Reply Icon

      Nah. Jive is social media for your intranet, not much use to the NSA methinks.

      1 0 Reply
  6. IGotOut Silver badge

    Great work..

    ..but you do have to wonder how much faster the web would be if researchers weren't battering the crap out of everything.

    Also makes me wonder how these are done. For example, my site will start blocking IP's if it detects ports scans, directory traversals, injection attempts etc....and that's after it's got past Cloudflare's protection.

    0 0 Reply
    1. The Mole
      Reply Icon

      Re: Great work..

      No need to imagine, read the really detailed breakdown they have written on how they went about the process and gained access.

      Starting problem is that Apple have the entire 17.0.0.0/8 with 27k webservers hosted within it with many targetted at employees or partners. Its much harder to monitor and correlate attacks against that many servers, and I imagine the noise level is extremely high. It appears many servers probably weren't installed/managed by 'IT'.

      2 0 Reply
  7. Brewster's Angle Grinder Silver badge

    As much as we slag off Apple, they're a long way from cowboys and, clearly, they care about security. And yet even they can make these mistakes.

    1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like