Hackers Discover 55 Apple Vulnerabilities, Awarded Nearly $300,000 in Bounties [Updated]

A group of hackers has been awarded nearly $300,000 by Apple for discovering 55 vulnerabilities in the company's systems.

3

Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes spent three months hacking Apple platforms and services to discover a range of weaknesses. The 55 vulnerabilities the team discovered were of varying severity, with some being critical.

During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.

Apple apparently was swift to address the majority of the vulnerabilities, with some being resolved in as little as a few hours.

Overall, Apple was very responsive to our reports. The turn around for our more critical reports was only four hours between time of submission and time of remediation.

As part of Apple's Security Bounty Program, the group was able to receive considerable payments for some of their work. As of Sunday, October 4, they had received four payments totaling $51,500. This included $5,000 for disclosing the full name of iCloud users, $6,000 for finding IDOR vulnerabilities, $6,500 for access to internal corporate environments, and $34,000 for discovering system memory leaks containing customer data.

Since no-one really knew much about their bug bounty program, we were pretty much going into unchartered territory with such a large time investment. Apple has had an interesting history working with security researchers, but it appears that their vulnerability disclosure program is a massive step in the right direction to working with hackers in securing assets and allowing those interested to find and report vulnerabilities.

Apple has been actively investing in its bug bounty program since last year. Security researchers can now receive up to one million dollars per vulnerability depending on the nature and severity of the security flaw.

With the permission of Apple's security team, the group has published an extensive report which details a range of vulnerabilities and methods of locating and exploiting weaknesses. They also hinted that additional bounties may be on the way.

Update October 9: At the time of publication, the group reported that it had received $51,500 in bounties from Apple for four of the vulnerability reports it submitted. The group now says it has received 32 payments from Apple totaling $288,500.

Popular Stories

iPhone 17 Pro Blue Feature Tighter Crop

iPhone 17: What's New With the Cameras

Friday May 2, 2025 3:52 pm PDT by
We've still got months to go before the new iPhone 17 models come out, but a combination of dummy models and leaks have given us some insight into what we can expect in terms of camera changes. Apple is adding new camera features, and changing the design of the camera bump for some models. You might be skeptical of dummy models, but over the years, they've proven to be a highly accurate...
Beyond iPhone 13 Better Blue Face ID

20th-Anniversary iPhone Will Reportedly Feature an All-Screen Design

Saturday May 3, 2025 9:20 am PDT by
Apple's former design chief Jony Ive long dreamed of an iPhone with a truly all-screen design, and his wish might finally become reality in a few more years. The Information today cited multiple sources who said that at least one new iPhone model launching in 2027 will have a truly edge-to-edge display. The device's front camera and Face ID system would both be placed under the screen....
iPhone 17 Air Size Feature

iPhone 17 Air Expected to Have Battery Case Due to 'Worse' Battery Life

Saturday May 3, 2025 8:24 am PDT by
Apple's rumored iPhone 17 Air model will have "worse" battery life compared to previous iPhone models, according to a paywalled The Information report. In internal testing, Apple determined that the percentage of users who will be able to use the iPhone 17 Air for a full day without needing to recharge the device throughout the day will be between 60% and 70%, according to the report. For...
iOS 18

Apple Says iOS 18.5 Coming Soon, Here is What's New

Monday May 5, 2025 8:19 am PDT by
In its press release for the new Pride Band today, Apple said that iOS 18.5 is "upcoming," following more than a month of beta testing. We expect the iOS 18.5 Release Candidate to be released this week, and this should be the final beta version, barring any last-minute bugs or changes. The software update should then be released to the general public next week. iOS 18.5 is a relatively...
Foldable iPhone 2023 Feature Homescreen

Foldable iPhone Said to Have Two Key Advantages

Monday May 5, 2025 6:41 am PDT by
Apple plans to release its first foldable iPhone next year, according to several reporters and analysts who cover the company. In his Power On newsletter today, Bloomberg's Mark Gurman said the foldable iPhone will offer two key advantages over other foldable smartphones. First, he said the foldable iPhone will have a "nearly invisible" crease when unfolded. This means the device's...
AirPods Pro 3 Mock Feature

AirPods Pro 3 Just Months Away – Here's What We Know

Tuesday April 29, 2025 1:30 am PDT by
Despite being more than two years old, Apple's AirPods Pro 2 still dominate the premium wireless‑earbud space, thanks to a potent mix of top‑tier audio, class‑leading noise cancellation, and Apple's habit of delivering major new features through software updates. With AirPods Pro 3 widely expected to arrive in 2025, prospective buyers now face a familiar dilemma: snap up the proven...
iPhone Top Left Hole Punch Face ID Feature 2

iPhone 18 Pro Models Rumored to Feature Under-Screen Face ID With Top-Left Camera Hole

Saturday May 3, 2025 9:19 am PDT by
Apple's two-generations-away iPhone 18 Pro models will likely feature under-screen Face ID, according to The Information. The paywalled report today cited a source who said the iPhone 18 Pro and iPhone 18 Pro Max will have only a small hole in the top-left corner of the screen, to accommodate the front-facing camera, with all Face ID hardware moved under the screen. With under-screen Face ...
Foldable iPhone 2023 Feature Iridescent Search

Apple Plans Split iPhone Launch Strategy: Pro and Foldable in Fall 2026, Standard in Spring 2027

Saturday May 3, 2025 8:32 am PDT by
Starting in 2026, Apple plans to change the release cycle for its flagship iPhone lineup, according to The Information. Apple will release the more expensive iPhone 18 Pro models in the fall, delaying the release of the standard iPhone 18 until the spring. The shift may be because Apple plans to debut a foldable iPhone in 2026, which will join the existing iPhone lineup. The fall release...

Top Rated Comments

Expos of 1969 Avatar
60 months ago
That seems to be quite a low payment for finding 55 problems. Each guy made about $850/week.
Score: 35 Votes (Like | Disagree)
ksec Avatar
60 months ago
As part of Apple's Security Bounty Program ('https://www.macrumors.com/2019/12/20/apple-launches-public-bug-bounty-program/'), the group was able to receive considerable payments for some of their work. As of Sunday, October 4, they had received four payments totaling $51,500.
MacRumors just redefined the word "considerable" in Cooperate America.
Score: 21 Votes (Like | Disagree)
The Cappy Avatar
60 months ago
These kinds of headlines slay me. "Over $50,000" you say.

The correct amount was $51,500. It would have been both shorter and more accurate to type the correct number.You don't even have the excuse of vagueness being necessitated by the need for brevity, since you actually type the number in full. You just go out of your way to use incorrect numbers so that you later need to correct yourself. Oh well.
Score: 19 Votes (Like | Disagree)
adamdport Avatar
60 months ago
$50k split between 5 people over 3 months...that's the equivalent of $40k/yr for these guys. I guess it didn't say they were working 40 hours a week, or were full time on apple though.
Score: 19 Votes (Like | Disagree)
cmaier Avatar
60 months ago

I smell lawsuits coming.
Why? Unless someone can prove these vulnerabilities were used, what’s the harm?
Score: 17 Votes (Like | Disagree)
CrazyForCashews Avatar
60 months ago
I appreciate how quickly Apple paid them.

News like this will probably encourage other hackers to disclose any more vulnerabilities to Apple knowing that they'll be rewarded in a timely manner.
Score: 13 Votes (Like | Disagree)