A group of hackers won $ 288,500 from Apple for telling the company 55 errors, including one that would have allowed an attacker to steal iCloud photos of users.
A group of hackers spent months targeting Apple’s sprawling online infrastructure and found a plethora of vulnerabilities, including one that would have allowed hackers to steal files from people’s iCloud accounts, according to a Business Insider report.
These hackers act as “white hat” hackers who do not pirate with criminal purposes. Their goal was to alert Apple to vulnerabilities, not to steal information.
The team was led by Sam Carey, 20, who worked alongside Brett Bowerhouse, Ben Sadeghipur, Samuel Earp and Tanner Barnes.
“I have never worked on Apple’s bug bounty program, so I really had no idea what to expect, but I said why not try my luck and see what I could find,” Curry said in a post.
“Although there were no guarantees regarding payments or an understanding of how the program works, everyone said yes, and we started pirating Apple,” he added.
Apple has paid the group $ 288,500 so far through the “bug-bounty” program, a vulnerability-hunting program launched by Apple. Hackers have uncovered 55 vulnerabilities, 11 of which were described as “dangerous.”
Carey said that once Apple addresses and rewards all of the errors reported by the group, its total payments could exceed $ 500,000.
One of the most egregious vulnerabilities the group found would have allowed hackers to build software that stole users ‘iCloud files before infecting their contacts’ iCloud accounts.
The vulnerability is based on the fact that Apple Mail is supported by iCloud. The white hat hackers were able to break into iCloud accounts after sending an email containing malware to an iCloud.com email address.
Carey said Apple corrected all of the vulnerabilities shortly after reporting them.
During the process of searching for errors, Carey and his team gained insight into the sheer scale of Apple’s online infrastructure. They found that Apple has more than 25,000 web servers that fall under the Apple.com and iCloud.com domains, and more than 7,000 other domains.
And many security vulnerabilities were discovered by searching in the mysterious web servers owned by Apple, such as the Super Teacher site.
Cybersecurity experts who reviewed the research by the Curry team said that while some of the severe vulnerabilities were worrisome, they reflected inherent challenges that should be anticipated for a company that maintains such a massive infrastructure through the Internet.
In a statement to Business Insider, Apple said it appreciates the work of the white hat hackers, adding that the security flaws have been corrected, and there is no evidence of their exploitation by malicious actors.
“At Apple, we vigilantly protect our networks and have dedicated teams of information security professionals who work to detect and respond to threats. Once we alerted researchers to the problems they detailed in their report, we promptly fixed the vulnerabilities, and took steps to prevent issues from being hit,” an Apple spokesperson said. This kind in the future. “
“We appreciate our cooperation with security researchers to help keep our users safe, and we have given credit to the team for helping them and we will reward them with the rewards program,” he added.