Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Security researchers spent months hacking Apple — here's what they found

Credit: Malcolm Owen, AppleInsider

A team of security researchers spent three months hacking Apple, discovered a slew of vulnerabilities in the company's digital infrastructure, and received bounty payments totaling more than $50,000.

The Cupertino tech giant maintains a bug bounty program that pays security researchers for found vulnerabilities. As researcher Sam Curry notes, he previously thought that Apple only paid bounties for issues affecting physical products like the iPhone.

But, in July, Curry noticed that bounties were seemingly available for web infrastructure, too. According to Apple's bug bounty program page, the company pays out for vulnerabilities with a "significant impact to users." Curry then recruited a team of fellow security researchers — Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes — and began scrutinizing Apple's systems.

After three months of scanning Apple's systems and testing various exploits, the team found a total of 55 vulnerabilities of varying severity. At least 11 were ranked as critical and 29 were of a high severity.

"During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.

The team wasn't able to deeply disclose all of the flaws they found, but Curry did provide write-ups for some of the more interesting vulnerabilities. Disclosures include a full compromise of Apple's Distinguished Educators Program; a cross-site scripting attack that could allow hackers to steal user iCloud data via email; and a vulnerability that may have allowed attackers to compromise Apple's internal inventory and warehousing system.

Throughout the process, Curry said that Apple's product security staffers were very responsive. The average turnaround time for critical security reports was about four hours between submission and remediation. Typically, flaws were fixed within one to two business days, with some of the fixed in as little as four to six hours.

As of Oct. 4, the team has received four bounty payments totaling $51,500 for some of the vulnerabilities, and expects Apple to send payment for even more critical flaws.

Curry said that they obtained permission from Apple's product security team to publish information on the vulnerabilities and "are doing so at their discretion."

"All of the vulnerabilities disclosed here have been fixed and re-tested. Please do not disclose information pertaining to Apple's security without their permission," Curry notes.

The security researchers note that they went into the project blind, since information on Apple's bug bounty program is spotty. "We were pretty much going into unchartered [sic] territory with such a large time investment," Curry wrote.

"Apple has had an interesting history working with security researchers, but it appears that their vulnerability disclosure program is a massive step in the right direction to working with hackers in securing assets and allowing those interested to find and report vulnerabilities," Curry wrote.



11 Comments

cornchip 11 Years · 1943 comments

Great to see Apple starting to get ahead of this kind of stuff. 

jas99 11 Years · 173 comments

The process is working. Better security for the Apple ecosystem. Glad to hear Apple was so cooperative and quick to respond with fixes. 

MplsP 8 Years · 4047 comments

So happy to see Apple finally participating in a bug bounty program, although from the description of the vulnerabilities found I think the bounties probably should have been higher. Either way it’s a win for everyone. Expectedly, there’s a fair amount of Google/Microsoft/Samsung bashing on this site, but good security benefits everyone. Apple can learn from holes found in competitors’ systems and the competitors can learn from the holes in Apple’s systems. When it comes to security, the enemy is not Google or Microsoft, it’s hackers from China, North Korea & Russia. When security improves, we all win.

dewme 10 Years · 5775 comments

The $51K in bounties is a tiny amount to invest compared to the losses that Apple could have suffered had these vulnerabilities impacted customers or Apple operations. Keep the checkbook open Apple, this is money well spent.  

sflocal 16 Years · 6138 comments

Security is a never-ending whack-a-mole.  I know first-hand that online security is resource-intensive and people always have to stay on top of it.  Great job Apple.  Apple should be doing much MUCH more of this.  $51K is chump-change for Apple considering how much damage a breach could cause.