[ad_1]
- Five non-malicious “white hat” or ethical hackers spent three months hacking Apple and discovered 55 vulnerabilities in the process.
- They earned $ 288,500 in rewards from Apple in exchange for disclosing the bugs.
- Eleven of those vulnerabilities were labeled “critical,” including one that would have allowed hackers to steal all files and photos stored on a victim’s iCloud account before infecting that person’s contacts.
- Apple fixed the vulnerabilities almost immediately after they were revealed, the hackers said.
- Visit the Business Insider home page for more stories.
A group of hackers spent months targeting Apple’s extensive online infrastructure and found a host of vulnerabilities, including one that would allow hackers to steal files from people’s iCloud accounts, they announced in a blog post. week.
They acted as “white hat” hackers, meaning that their goal was to alert Apple to vulnerabilities rather than steal information. The team was run for 20 years Sam curry, With Brett buerhaus, I am sadeghipour, Samuel ErbY Tanner barnes.
“I had never worked on Apple’s bug bounty program, so I really had no idea what to expect, but I decided why not try my luck and see what I could find,” Curry said in the blog post. “Although there was no guarantee regarding payments or an understanding of how the program worked, everyone said yes and we started hacking Apple.”
Apple has paid the group $ 288,500 so far through its bug bounty program in exchange for disclosing 55 vulnerabilities, 11 of which were labeled “severe.” Curry said that once Apple processes and rewards all the errors the group reported, your total payout can exceed $ 500,000.
One of the most egregious vulnerabilities the group found would have allowed hackers to create a worm that steals people’s iCloud files before infecting their contacts’ iCloud accounts. The vulnerability depends on the fact that Apple Mail is compatible with iCloud: White hat hackers were able to compromise iCloud accounts after sending an email to an iCloud.com email address that contained malicious code.
Apple fixed all the vulnerabilities shortly after they were reported, Curry said.
In the process of searching for bugs, Curry and his team learned about the massive scale of Apple’s online infrastructure. Apple owns more than 25,000 web servers, belonging to Apple.com, iCloud.com and more than 7,000 other unique domains, the researchers found. Many of the vulnerabilities were discovered by searching through obscure Apple-owned web servers, such as its Distinguished Educators site.
Cybersecurity experts who reviewed Curry’s team’s research said that while some of the serious vulnerabilities are concerning, they reflect inherent challenges that should be expected for a company that maintains such a huge online infrastructure.
“The breadth of issues identified within Apple’s vast online presence … is actually more evidence of how difficult it is to stay on top of all security issues as organizations grow than a negative reflection of any practice. security within Apple, “Tim Mackey, chief security strategist at the Synopsys Cybersecurity Research Center, told Business Insider.
In a statement to Business Insider, Apple said it appreciated the work of the white hat hackers, adding that the vulnerabilities have been patched and there is no evidence that they have been exploited by malicious actors.
“At Apple, we carefully protect our networks and have dedicated teams of information security professionals working to detect and respond to threats. As soon as the researchers alerted us to the issues they detailed in their report, we immediately fixed the vulnerabilities. and we take steps to prevent future problems of this type, “said the Apple spokesman. “We value our collaboration with security researchers to help keep our users safe and have recognized the team for their help and will reward them with the Apple Security Bounty program.”
Read the full report on the findings of the white hat hacker team here.
[ad_2]
