Hackers Discover 55 Apple Vulnerabilities, Awarded Nearly $300,000 in Bounties [Updated]

A group of hackers has been awarded nearly $300,000 by Apple for discovering 55 vulnerabilities in the company's systems.

3

Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes spent three months hacking Apple platforms and services to discover a range of weaknesses. The 55 vulnerabilities the team discovered were of varying severity, with some being critical.

During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.

Apple apparently was swift to address the majority of the vulnerabilities, with some being resolved in as little as a few hours.

Overall, Apple was very responsive to our reports. The turn around for our more critical reports was only four hours between time of submission and time of remediation.

As part of Apple's Security Bounty Program, the group was able to receive considerable payments for some of their work. As of Sunday, October 4, they had received four payments totaling $51,500. This included $5,000 for disclosing the full name of iCloud users, $6,000 for finding IDOR vulnerabilities, $6,500 for access to internal corporate environments, and $34,000 for discovering system memory leaks containing customer data.

Since no-one really knew much about their bug bounty program, we were pretty much going into unchartered territory with such a large time investment. Apple has had an interesting history working with security researchers, but it appears that their vulnerability disclosure program is a massive step in the right direction to working with hackers in securing assets and allowing those interested to find and report vulnerabilities.

Apple has been actively investing in its bug bounty program since last year. Security researchers can now receive up to one million dollars per vulnerability depending on the nature and severity of the security flaw.

With the permission of Apple's security team, the group has published an extensive report which details a range of vulnerabilities and methods of locating and exploiting weaknesses. They also hinted that additional bounties may be on the way.

Update October 9: At the time of publication, the group reported that it had received $51,500 in bounties from Apple for four of the vulnerability reports it submitted. The group now says it has received 32 payments from Apple totaling $288,500.

Top Rated Comments

Expos of 1969 Avatar
14 months ago
That seems to be quite a low payment for finding 55 problems. Each guy made about $850/week.
Score: 35 Votes (Like | Disagree)
ksec Avatar
14 months ago
As part of Apple's Security Bounty Program ('https://www.macrumors.com/2019/12/20/apple-launches-public-bug-bounty-program/'), the group was able to receive considerable payments for some of their work. As of Sunday, October 4, they had received four payments totaling $51,500.
MacRumors just redefined the word "considerable" in Cooperate America.
Score: 21 Votes (Like | Disagree)
The Cappy Avatar
14 months ago
These kinds of headlines slay me. "Over $50,000" you say.

The correct amount was $51,500. It would have been both shorter and more accurate to type the correct number.You don't even have the excuse of vagueness being necessitated by the need for brevity, since you actually type the number in full. You just go out of your way to use incorrect numbers so that you later need to correct yourself. Oh well.
Score: 19 Votes (Like | Disagree)
adamdport Avatar
14 months ago
$50k split between 5 people over 3 months...that's the equivalent of $40k/yr for these guys. I guess it didn't say they were working 40 hours a week, or were full time on apple though.
Score: 19 Votes (Like | Disagree)
cmaier Avatar
14 months ago

I smell lawsuits coming.
Why? Unless someone can prove these vulnerabilities were used, what’s the harm?
Score: 17 Votes (Like | Disagree)
CrazyForCashews Avatar
14 months ago
I appreciate how quickly Apple paid them.

News like this will probably encourage other hackers to disclose any more vulnerabilities to Apple knowing that they'll be rewarded in a timely manner.
Score: 13 Votes (Like | Disagree)

Related Stories

24330f3b719ded3a3092a6ff695d8a34

Apple Reportedly Patches XSS Vulnerability on iCloud's Website

Monday February 22, 2021 6:06 am PST by
In a blog post shared by ZDNet, security researcher Vishal Bharad claims that he found a bug that would have allowed a hacker to inject a virus or malicious script onto Apple's ‌iCloud‌ website. According to Bharad, the vulnerability consisted of creating a Pages or Keynote document on the iCloud website with the name field containing the XSS payload. Sharing the document with another...
macos monterey microphone indicator

Apple Highlights New Privacy Features in iOS 15 and macOS Monterey, Including Microphone Indicator on Mac

Monday June 7, 2021 2:01 pm PDT by
Apple today previewed new privacy protections coming in iOS 15, iPadOS 15, macOS Monterey, and watchOS 8. The software updates are available in beta for developers starting today and will be publicly released later this year. First, a new App Privacy Report feature will let users see how often apps have used the permission they've previously granted to access their location, photos, camera,...
maxresdefault

Security Researcher Earns $100,000 for Safari Exploit in Pwn2Own Hacking Contest

Thursday April 8, 2021 2:36 pm PDT by
Each year, the Zero Day Initiative hosts a "Pwn2Own" hacking contest where security researchers can earn money for finding serious vulnerabilities in major platforms like Windows and macOS. This 2021 Pwn2Own virtual event kicked off earlier this week and featured 23 separate hacking attempts across 10 different products including web browsers, virtualization, servers, and more. A three-day...
apple security banner

macOS 11.3 Patches Security Vulnerability That Bypassed Built-In Malware Protections

Monday April 26, 2021 11:03 am PDT by
Apple today confirmed to TechCrunch that the just-released macOS 11.3 software update patches a security vulnerability that reportedly could have allowed a hacker to remotely access a user's sensitive data by tricking a user into opening a spoofed document. "All the user would need to do is double click — and no macOS prompts or warnings are generated," said security researcher Cedric...
applesupplierreport

Apple Publishes 2021 Supplier Progress Report

Monday May 31, 2021 3:27 am PDT by
Apple has published its annual supplier responsibility report, which outlines the progress it and its suppliers are making towards improving the rights of workers, furthering environmental protection goals, the response to the global health crisis, and more. The report contains detailed information ranging from how Apple addresses reports of violations within its supply chain to how the...
applesecuritydevice

Apple Launches Security Research Device Program to Give Bug Hunters Deeper OS Access to Find Vulnerabilities

Wednesday July 22, 2020 10:33 am PDT by
Apple is today launching a new Apple Security Research Device Program that's designed to provide security researchers with special iPhones that are dedicated to security research with unique code execution and containment policies. Apple last year said it would be providing security researchers with access to "special" iPhones that would make it easier for them to find security...
jamf malware secret screenshots

macOS Big Sur 11.4 Addresses Vulnerability That Could Let Attackers Take Secret Screenshots

Monday May 24, 2021 5:26 pm PDT by
macOS Big Sur 11.4, which was released this morning, addresses a zero-day vulnerability that could allow attackers to piggyback off of apps like Zoom, taking secret screenshots and surrepetiously recording the screen. Jamf, a mobile device management company, today highlighted a security issue that allowed Privacy preferences to be bypassed, providing an attacker with Full Disk Access,...
safari macos icon banner

Apple Releases New Safari 14.1 Update for macOS Catalina and Mojave With Security Fix

Tuesday May 4, 2021 2:32 pm PDT by
Apple today released a new version of Safari 14.1 for macOS Catalina and macOS Mojave users, with the update introducing fixes for two WebKit vulnerabilities that were patched in macOS Big Sur yesterday. Apple's support document for the updated Safari release confirms that it addresses the same WebKit memory corruption issue and an integer overflow bug for users of older versions of macOS. ...
homekit secure video package

HomeKit Secure Video Cameras Can Notify You When a Package Has Arrived Starting With iOS 15

Monday June 7, 2021 4:09 pm PDT by
Starting with iOS 15 and iPadOS 15, which will be publicly released in the fall, security cameras and video doorbells that support HomeKit Secure Video can now detect and notify you when a package has been delivered. HomeKit Secure Video, available on iOS 13.2 and later, leverages iCloud to securely stream and store video clips from compatible HomeKit-enabled indoor and outdoor cameras and...
14

iOS 14.4 Patches Vulnerabilities That May Have Been Actively Exploited

Tuesday January 26, 2021 12:16 pm PST by
Apple today released iOS 14.4 and iPadOS 14.4, and along with a handful of minor new features, the software introduces security fixes for three vulnerabilities that may have been used in the wild. According to a security support document shared by Apple, there were kernel and WebKit vulnerabilities affecting all iPhones and iPads running iOS or iPadOS 14. The kernel vulnerability could allow ...