Apple awards group of researchers $51,500 for disclosing multiple vulnerabilities as part of its Bug Bounty Program

markus spiske iar afB0QQw unsplash

Apple is paying a group of five researchers a total of $51,500 as a reward for finding and disclosing multiple vulnerabilities in Apple’s web infrastructure to the company. Apple runs a Bug Bounty Program where it regularly awards people who disclose serious vulnerabilities in its software.

Sam Curry, who is a Web Application Security researcher, has shared his experience finding and reporting such vulnerabilities to Apple in a blog post. He says he initially thought that Apple only awarded security vulnerabilities affecting the company’s physical products. However, when he realized that Apple paid out for any software vulnerability “with significant impact to users,” he formed a team of security researchers and started working.

The team comprised of Sam Curry himself, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes. Together, they found a series of vulnerabilities that affected core portions of Apple’s infrastructure that would’ve proven concerning for both employee and customer applications.

“During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.”

They reported these vulnerabilities to Apple and the company acknowledged them, awarding a total of $51,500 for all the disclosures. Curry also notes that Apple doesn’t hand out payments for all the vulnerabilities at once. That said, he has shared a breakdown of the payments Apple already issued as of Oct. 4:

  • $5,000 – Disclosing the Full Name of iCloud users via Editor Invitation on redacted
  • $6,500 – Gopher/CRLF Semi-Blind SSRF with Access to Internal Corporate Environments
  • $6,000 – IDOR on https://redacted/
  • $34,000 – Multiple eSign environments vulnerable to system memory leaks containing secrets and customer data due to public-facing actuator heap dump, env, and trace
3
Curry’s team was able to exfiltrate this Apple panel via HTML5 DOM. Source: Sam Curry.

Apple is yet to issue payments for more of the issues that Sam’s team of security researchers reported and will likely send them out in batches.

An interesting thing to note is how quickly Apple responded to their disclosure. “Overall, Apple was very responsive to our reports,” says Sam. “As of October 6th, 2020, the vast majority of these findings have been fixed and credited. They were typically remediated within 1-2 business days (with some being fixed in as little as 4-6 hours).”

But it wasn’t only Apple that did the hard work:

“When we first started this project we had no idea we’d spend a little bit over three months working towards it’s completion. This was originally meant to be a side project that we’d work on every once in a while, but with all of the extra free time with the pandemic we each ended up putting a few hundred hours into it.”

The blog post also offers a peek at the scale of Apple’s vast web infrastructure:

“[Apple] own the entire 17.0.0.0/8 IP range, which includes 25,000 web servers with 10,000 of them under apple.com, another 7,000 unique domains, and to top it all off, their own TLD (dot apple). Our time was primarily spent on the 17.0.0.0/8 IP range, .apple.com, and .icloud.com since that was where the interesting functionality appeared to be.”

This isn’t the first time Apple is awarding huge sums of money to security researchers to help discover holes in its online infrastructure, products, and services. In May, Apple awarded $100,000 as bounty to researcher Bhavuk Jain for disclosing a server-side vulnerability.

At Apple’s Security Bounty page, the company says that it makes it “a priority to resolve confirmed issues as quickly as possible in order to best protect customers.” The Cupertino company certainly appears to be living up to its words.