Nick Wright. Used with permission.

For months, Apple's corporate network has been at risk from hacks that could potentially have stolen sensitive data from millions of its customers and executed malicious code on their phones and computers, a security researcher said Thursday.

Sam Curry, a 20-year-old researcher who specializes in website security, said he and his team found a total of 55 vulnerabilities. He assessed eleven of them as critical, as they enabled him to take control of Apple's core infrastructure and steal private emails, iCloud data and other private information from there.

The 11 critical errors were:

  • Remote code execution via authorization and authentication bypass
  • Bypassing authentication using incorrectly configured permissions allows global administrator access
  • Command injection via argument for uncleaned filename
  • Remote code execution via Leaked Secret and Exposed Administrator Tool
  • A memory leak creates a trade-off between employee and user account that allows access to various internal applications
  • Vertica SQL Injection via uncleaned input parameters
  • Wormable Stored XSS allows the attacker to completely compromise the victim's iCloud account
  • Wormable Stored XSS allows the attacker to completely compromise the victim's iCloud account
  • Full answer SSRF allows the attacker to read internal source code and access protected resources
  • With Blind XSS, the attacker can access the internal support portal for tracking customer and employee problems
  • The server-side PhantomJS execution allows the attacker to access internal resources and obtain AWS IAM keys

Apple fixed the vulnerabilities immediately after Curry reported them over a period of three months, often within hours of his initial consultation. The company has so far addressed about half of the vulnerabilities and has committed to pay $ 288,500 for them. Once Apple processes the rest, the total payout could exceed $ 500,000, Curry said.

"If the problems had been used by an attacker, Apple would have suffered massive information and integrity losses," Curry said in an online chat a few hours after reading a 9,200-word article entitled "We hacked Apple for three months : Here's what we had published "Found. "For example, attackers would have access to the internal tools used to manage user information and could also modify the systems to work as the hackers intended."

Curry said the hacking project was a joint venture that also included other researchers:

Two of the worst

The most serious of these risks included those caused by a stored cross-site scripting vulnerability (usually abbreviated as XSS) in the JavaScript parser used by the servers at Since iCloud provides a service for Apple Mail, the bug can be exploited by sending someone with an or address an email with malicious characters.

The target just needs to open the email to be hacked. In this case, using a script hidden in the malicious email, the hacker was able to perform whatever actions the target could take in the browser while accessing iCloud. Below is a video that shows a proof-of-concept exploit in which all of the target's photos and contacts were sent to the attacker.

(embed) (/ embed)

Conceptual evidence

Curry said the stored XSS vulnerability was wormable, which means that it could spread from user to user if they just opened the malicious email. One such worm would have worked by including a script that would send a similarly styled email to any or address on the victims' contact list.

A separate vulnerability on a website reserved for Apple Distinguished Educators was the result of being assigned a default password – "### INvALID #%! 3" (without the quotation marks) – when someone submitted an application with a username before and last name, email address and employer.

"If someone has applied using this system and has features that allow you to manually authenticate, you can simply log into their account with the default password and bypass the 'Sign in with Apple' login entirely," wrote Curry.

Eventually, the hackers were able to use bruteforcing to guess a user named "erb" and use it to manually log into the user account. The hackers then logged on to several other user accounts, one of which had "administrator rights" on the network. The image below shows the Jive console that was used to run online forums.

With control over the interface, the hackers could have run arbitrary commands on the web server that controls the subdomain and accessed the internal LDAP service that stores the user account credentials. This would have given them access to much of Apple's remaining internal network.

Freak out

In total, the Curry team found and reported 55 vulnerabilities with a severity of 11 classified as critical, 29 as high, 13 as medium and two as low. The list and the dates they were found on are set out in Curry's blog post linked above.

As the above list makes clear, the hacks listed here are just two of a long list that Curry and his team were able to pull off. You did it as part of Apple's bug bounty program. According to Curry's post, Apple paid a total of $ 51,500 in exchange for the private reports of four vulnerabilities.

As I reported and wrote this post, Curry said he had an email from Apple informing him that the company was paying an additional $ 237,000 for 23 other vulnerabilities.

“My reply to the email was, 'Wow! I'm in a strange state of shock right now, ”said Curry. "I've never been paid so much at once. Everyone in our group is still a bit freaked out."

He reckons the total payout could exceed $ 500,000 once Apple digests all the reports.

An Apple representative made a statement stating:

At Apple, we carefully protect our networks and have dedicated teams of information security professionals who work to identify and respond to threats. As soon as the researchers made us aware of the issues described in their report, we immediately addressed the vulnerabilities and took steps to prevent future issues of this type. Based on our logs, the researchers were the first to discover the security vulnerabilities, so we are confident that no user data has been misused. We value our collaboration with security researchers to keep our users safe. We've credited the team with their support and will reward them through the Apple Security Bounty Program.


Please enter your comment!
Please enter your name here