Five Hackers Found 55 Bugs in Apple Products in 3 Months

guest · Oct 10, 2020

Five Hackers Found 55 Bugs in Apple Products in 3 Months and Made $51,500
Apple rewarded the researchers for finding some very serious bugs in the company's websites
October 8, 2020
https://www.vice.com/en/article/v7g5ea/hackers-found-55-bugs-in-apple-productsmade-dollar51500

UPDATE, Oct. 8, 5:36 p.m. ET: A few hours after we published this story, Curry said that Apple had just notified the researchers that they were getting more rewards, bringing the total to $288,500. At this point, according to Curry, Apple has paid rewards for 32 of the 55 bugs he and his friends reported.
Click to expand...

Five hackers researched and analyzed several Apple online services for three months and found a grand total of 55 vulnerabilities, some of them potentially very dangerous, according to a blog post written by one of the hackers.

One of the worst of all the bugs they found would have allowed criminals to create a worm that would automatically steal all the photos, videos, and documents from someone's iCloud account and then do the same to the victim's contacts.
The researchers said they also found that they could access Apple's source code repository, the place where Apple stores code for "hundreds of different applications, iOS, and macOS."
Click to expand...

"Imagine if any nation state threat actor discovered those. Imagine how far reaching the damage would be. Apple is signaling that all that is only worth 50k to them. That to me is insane, and contravines all of their huge public marketing campaigns about how they take privacy and security seriously."

For Katie Moussouris, perhaps the world's foremost expert in bug bounties, the payments may be fair.

"The real question is: could Apple have paid the same amount to professional penetration testers, given them documentation instead of wasting their time doing black box recon, and found the same or more in far less time," Moussouris concluded.
Click to expand...

As a former Apple employee joked on Twitter that "bounties are really cheap labor."

As the cybersecurity consultancy Trail of Bits wrote in a blog post last year, "trying to make a living as a programmer participating in bug bounties is the same as convincing yourself that you’re good enough at Texas Hold ‘Em to quit your job."
Click to expand...

guest · Oct 10, 2020

Researchers' experience with Apple offers peek at 'confusing' vulnerability award process
October 9, 2020
https://www.cyberscoop.com/apple-hack-bounty-research-reward-flaws/

Five researchers who found 55 vulnerabilities in Apple’s online services and assets, some of which were critical vulnerabilities, received nearly $300,000 from the Silicon Valley giant Thursday – but it was a journey to get there.

At first, the researchers were only paid a fraction of that, and the road to a larger payment — which appears to align more with typical Apple vulnerability research rewards — has been frustrating and confusing, according to one of the researchers involved.
The vulnerabilities, which the researchers investigated over the last three months, included 11 critical and 29 high-severity flaws. One would allow attackers to compromise victims’ iCloud accounts without any user interaction.
Click to expand...

The payment was doled out in pieces and, before Thursday, the five researchers had only received $51,500 for all 55 vulnerabilities — a low sum compared to some of Apple’s previous awards to researchers who have found important bugs in Apple products and services.

Curry told CyberScoop the process had its problems, but that Apple had said it would make more payments to his team in the near future, meaning the timing of the increased payment could have been coincidental.

“It’s a bit confusing and maybe a little frustrating, but from their side it totally makes sense,” Curry said in a Twitter exchange. “Bug bounty programs are meant typically to take maybe 1-2 things of this caliber a week. It would make sense if their security team was somewhat overwhelmed with all of the open tickets at once.”
An Apple spokesperson declined to elaborate on the timing, but said the company was grateful for the work of Curry and his colleagues Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes.
Click to expand...

Log in or Sign up

Five Hackers Found 55 Bugs in Apple Products in 3 Months

guest Guest

guest Guest

Log in or Sign up

Five Hackers Found 55 Bugs in Apple Products in 3 Months

guest Guest

guest Guest

Useful Searches