For months, Apple’s corporate network was at risk of hacks that could have stolen sensitive data from potentially millions of its customers and executed malicious code on their phones and computers, a security researcher said on Thursday.
ARS TECHNICA
This story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED’s parent company, Condé Nast.
Sam Curry, a 20-year-old researcher who specializes in website security, said that, in total, he and his team found 55 vulnerabilities. He rated 11 of them critical because they allowed him to take control of core Apple infrastructure and from there steal private emails, iCloud data, and other private information.
The 11 critical bugs were:
Remote Code Execution via Authorization and Authentication Bypass
Authentication Bypass via Misconfigured Permissions allows Global Administrator Access
Command Injection via Unsanitized Filename Argument
Remote Code Execution via Leaked Secret and Exposed Administrator Tool
Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications
Vertica SQL Injection via Unsanitized Input Parameter
Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources
Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking
Server-Side PhantomJS Execution allows attacker to Access Internal Resources and Retrieve AWS IAM Keys
Apple promptly fixed the vulnerabilities after Curry reported them over a three-month span, often within hours of his initial advisory. The company has so far processed about half of the vulnerabilities and committed to paying $288,500 for them. Once Apple processes the remainder, Curry said, the total payout might surpass $500,000.
“If the issues were used by an attacker, Apple would’ve faced massive information disclosure and integrity loss,” Curry said in an online chat a few hours after posting a 9,200-word writeup titled We Hacked Apple for 3 Months: Here’s What We Found. “For instance, attackers would have access to the internal tools used for managing user information and additionally be able to change the systems around to work as the hackers intend.”
Curry said the hacking project was a joint venture that also included fellow researchers: Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes.
Among the most serious risks were those posed by a stored cross-site scripting vulnerability (typically abbreviated as XSS) in JavaScript parser that’s used by the servers at www.iCloud.com. Because iCloud provides service to Apple Mail, the flaw could be exploited by sending someone with an iCloud.com or Mac.com address an email that included malicious characters.
The target need only open the email to be hacked. Once that happened, a script hidden inside the malicious email allowed the hacker to carry out any actions the target could when accessing iCloud in the browser. Here is a video showing a proof-of-concept exploit that sent all of the target’s photos and contacts to the attacker.
Curry said the stored XSS vulnerability was wormable, meaning it could spread from user to user when they did nothing more than open the malicious email. Such a worm would have worked by including a script that sent a similarly crafted email to every iCloud.com or Mac.com address in the victims’ contact list.
A separate vulnerability, in a site reserved for Apple Distinguished Educators, was the result of it assigning a default password—“###INvALID#%!3” (not including the quotation marks)—when someone submitted an application that included a username, first and last name, email address, and employer.