Apple Fixing Bugs Found in White Hat Hack

A white hat hack found 55 bugs on Apple’s network, 11 of them critical. The cost to fix them is not small.

Recently, there has been an uptick in cyber-attacks worldwide, which is why we have discussed the importance of white hat testing and how to handle the results of those tests. Many of the recent attacks have been on the healthcare industry. Attackers know the system is strained and the likelihood of receiving a ransom payment is pretty high. Apple should be thankful that attacks have been focused elsewhere, as a recent white hat hack revealed 55 vulnerabilities, 11 of them critical.

Sam Curry, who specializes in website security, is the researcher who led the team that conducted the white hat hack. “If the issues were used by an attacker, Apple would’ve faced massive information disclosure and integrity loss,” Curry said in an online chat a few hours after posting a 9,200-word write up titled We Hacked Apple for 3 Months: Here’s What We Found. “For instance, attackers would have access to the internal tools used for managing user information and additionally be able to change the systems around to work as the hackers intend.”

The 11 critical vulnerabilities allowed Curry to take control of core Apple infrastructure. From there he could steal private emails, iCloud data and other private information. Those 11 instances are as follows:

  • Remote Code Execution via Authorization and Authentication Bypass
  • Authentication Bypass via Misconfigured Permissions allows Global Administrator Access
  • Command Injection via Unsanitized Filename Argument
  • Remote Code Execution via Leaked Secret and Exposed Administrator Tool
  • Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications
  • Vertica SQL Injection via Unsanitized Input Parameter
  • Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  • Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  • Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources
  • Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking
  • Server-Side PhantomJS Execution allows attacker to Access Internal Resources and Retrieve AWS IAM Keys

Apple has since fixed these violations and is in the process of fixing the rest. This is why it is so important to stay on top of testing, why it’s important to do that testing prior to prod and anytime a configuration or security setting has been changed. It’s not just about ensuring weaknesses are patched, but also to ensure that functionality is not impaired (a la Microsoft’s recent Azure issue).

Apple is a giant corporation that can afford to spend the money to fix their vulnerabilities, but that cannot be said for the vast majority of businesses worldwide. Even with the company’s worth, you can be sure that they would much prefer to not have those vulnerabilities in the first place. Not only for the security aspect, but it would have cost far less to ensure stability instead of locating the problems after changes are implemented for customers. Still, the problems were caught hopefully before a hacker could exploit them, which likely would have presented a major hit to Apple’s business.

Most companies cannot afford the repercussions of a data breach. As a business owner, leader or manager, you must do your part to keep your business secure. Testing is an integral part of the security process, and it’s most cost effective when done properly. White hat, prior to deployment, on any first version and annually thereafter. Proactive preparation will protect you!

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY