Hackers found 55 security vulnerabilities in Apple's network, 11 of which were marked as "high risk"

A group of hackers spent months targeting Apple's vast online infrastructure and discovered a series of vulnerabilities, including some that allowed hackers to steal files from users' iCloud accounts, according to a blog post this week.

Unlike those hackers intent on sabotage, though, these hackers operated as "white hats," meaning their goal was to alert Apple rather than steal information.

The hacker team is led by 20-year-old Sam Curry, and other researchers include: Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes.

Sam Curry said he and his team found a total of 55 vulnerabilities, 11 of which were marked as "high severity" because they would allow him to take control of Apple's core infrastructure and steal private emails, iCloud data and other private information from there.

The 11 high-risk vulnerabilities are:

• Bypassing Remote Code Execution via Authorization and Authentication
• Authentication bypass via misconfigured permissions allows global admin access
• Command injection via unsanitized filename parameter
• Remote code execution via leaked secrets and publicly available administrator tools
• Memory leaks lead to compromise of employee and user accounts, allowing access to various internal applications
• Vertica SQL Injection via Unsanitized Input Parameters
• Fixable stored XSS allows attacker to fully compromise victim's iCloud account(1)
• Fixable stored XSS allows attacker to fully compromise victim's iCloud account(2)
• Full Response SSRF allows attackers to read internal source code and access protected resources
• Blind XSS allowed attackers to access internal support portals for tracking customer and employee issues
• Server-side PhantomJS execution allows attacker to access internal resources and retrieve AWS IAM keys

"If these issues were exploited by an attacker, Apple would face a massive information disclosure and loss of integrity," Curry said in an online chat a few hours after publishing a 9,200-word article titled "We hacked Apple for 3 months: Here are the vulnerabilities we found." "For example, the attacker could access internal tools used to manage user information and also change surrounding systems to work as the hacker intended."

The most serious risk among the vulnerabilities the team found was caused by a stored cross-site scripting vulnerability (often abbreviated as XSS) in the JavaScript parser used by the www.iCloud.com server. This vulnerability allowed hackers to build a worm that would steal a user's iCloud files before infecting their contacts' iCloud accounts. Since iCloud powers Apple Mail, a white hat hacker could hack into an iCloud account after sending an email to an iCloud.com email address that contained malicious code.

The target only needs to open the email to be hacked. Once this happens, the script hidden in the malicious email allows the hacker to perform any action the target might perform while accessing iCloud in a browser.

Curry said the stored XSS vulnerability is fixable, meaning it could spread from user to user when they simply open a malicious email. Such a worm could work by including a script that sends a link to each iCloud.com or Mac.com victim's contact list.

In the process of finding the bugs, Curry and his team accidentally uncovered the scale of Apple's online infrastructure. They found that Apple has more than 25,000 web servers belonging to apple.com, iCloud.com, and more than 7,000 other unique domains. Many of the vulnerabilities were found by searching for obscure web servers owned by Apple, such as its Distinguished Educators website.

Another vulnerability in a website reserved for Apple Distinguished Educators was that when someone submitted an application that included a username, last name, email address and employer, it assigned a default password — the result of "invalid" ("###INvALID#%!3").

“If someone applies using this system and has the ability to manually verify, you can simply log into their account with the default password, completely bypassing the ‘Sign in with Apple’ login method,” Curry wrote.

Eventually, the hackers were able to use brute force methods to predict a user named "erb" and manually log into that user's account. The hackers then logged into several other user accounts, one of which had "core administrator" privileges on the network.

By taking control of the interface, the hackers were able to take control of the ade.apple.com subdomain and access the internal LDAP service that stores user account credentials. This gave them access to much of the rest of Apple's internal network.

In total, Curry's team found and reported 55 vulnerabilities, with severity levels of 11 critical, 29 high, 13 common, and 2 low. These are listed in Curry's blog post along with the dates they were discovered.

Apple fixed the vulnerabilities within hours of Curry reporting them and making his recommendations. So far, Apple has addressed about half of the vulnerabilities and has pledged to pay out $288,500. Curry said that once Apple addresses the remaining vulnerabilities, the total payout could exceed $500,000.

In response, Apple issued the following statement:

At Apple, we vigilantly protect our networks and have a dedicated team of information security professionals who work to detect and respond to threats. As soon as the researcher alerted us to the issue detailed in his report, we immediately fixed the vulnerability and took steps to prevent future issues of this kind. According to our logs, the researcher was the first to discover the vulnerability, so we are confident that no user data was misused. We value our collaboration with security researchers to help keep our users safe, and thank this team for their assistance, and the company will reward them from the Apple Cybersecurity Bounty Program.