Apple awards $300,000 to Ethical Hackers group


    Apple has awarded a group of ethical hackers an amount of $300,000 for finding out 55 vulnerabilities in their company’s system. The group of hackers consisted of – Ben Sadeghipour, Tanner Barnes, Sam Curry, Samuel Erb, and Brett Buerhaus. They spent 3 months (from July 6th to October 6th) working on this and were successful in finding a total of 55 vulnerabilities. As of October 6th, 2020, the majority of these findings were fixed and credited. All the vulnerabilities were fixed within 1-2 business days also some were even fixed on the same day within 4-6 hours. 

    Sam Curry shared a blog post in which he shared, “During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.”

    Some of the critical vulnerabilities identified are as follows:

    1. Remote Code Execution via Authorization and Authentication Bypass.
    2. Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications.
    3. Command Injection via Unsanitized Filename Argument.
    4. Remote Code Execution via Leaked Secret and Exposed Administrator Tool.
    5. Authentication Bypass via Misconfigured Permissions allows Global Administrator Access.

    All the vulnerabilities identified can be checked here on the blog.

    According to the hackers, Apple was very responsive to their reports. The turnaround for the most critical reports was only about 4 hours once the submission was done. Since many people don’t know much about Apple’s bug bounty program, so basically the hackers were going into unchartered territory with this kind of large time investment. Apple has a very intriguing record working with security researchers, but it seems like its vulnerability exposure program is a big step in the right direction. As of October 8th, they had received 32 payments totaling to $288,500 for various vulnerabilities they were able to identify.

    Recent Articles

    Weekly Newsletter (25th Apr’ 21 to 1st May’ 21)

      Here’s the Weekly Newsletter from 25th April’ 2021 to 1st May’ 2021: 1. Moolympics #3: Diversity, Equity, and Inclusion through UX - Moolya Software Testing Private...

    OpKey University launched to provide advanced automation testing training

      Opkey announced on 26th April 2021 that the company has launched its own "Opkey University". According to OpKey University, software testing is a critical...

    Cypress 7.2.0 released with New Features and Bugfixes recently released Cypress 7.2.0 version, the new version comes with various bug fixes and new features. Users can now navigate through folders in...

    Moolympics #3: Diversity, Equity, and Inclusion through UX

      Moolya Software Testing Private Limited recently launched Moolympics which is a monthly competition series that covers different skills, values, cultures you bring to the...

    Weekly Newsletter (18th Apr’ 21 to 24th Apr’ 21)

      Here’s the Weekly Newsletter from 4th April’ 2021 to 10th April’ 2021: 1. OpKey launches Industry’s First Marketplace for ERP Test Automation - Opkey recently launched...

    Related Stories

    Stay on op - Ge the daily news in your inbox