A team of hackers has discovered 55 vulnerabilities in Apple’s corporate network, 11 of which are critical. The team is to receive about half a million USD as bounty payments, and they already got most of it. Apple assured that everything has already been fixed and that the team of hunters was the first to discover the flaws. Hackers like to maintain that vulnerabilities are always there, and finding them is only a matter of looking deep for long enough. This is also the case for Apple’s corporate network, which was vulnerable to exploitation for months, as proven by a skillful hacking team.

The hackers were present in Apple’s network for three months, discovering 55 vulnerabilities along the way, 11 of which were critical. More specifically, the nastiest of the flaws were the following:

  1. Remote Code Execution via Authorization and Authentication Bypass
  2. Authentication Bypass via Misconfigured Permissions allows Global Administrator Access
  3. Command Injection via Unsanitized Filename Argument
  4. Remote Code Execution via Leaked Secret and Exposed Administrator Tool
  5. Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications
  6. Vertica SQL Injection via Unsanitized Input Parameter
  7. Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  8. Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  9. Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources
  10. Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking
  11. Server-Side PhantomJS Execution allows an attacker to Access Internal Resources and Retrieve AWS IAM Keys

As the hackers point out, Apple maintains a massive infrastructure, consisting of 25,000 web servers and 7,000 unique domains. Thus, their discoveries don’t cover the entire spectrum of what could still be lying there, so a follow-up penetration testing should be considered a certainty. Apple was quick to fix all of the reported vulnerabilities, sometimes in a couple of hours following Curry’s reporting.

The worrying part in this report is that at least two critical flaws were found almost immediately, using automated scanning. These flaws could have enabled malicious actors to access internal VPN servers and obtain crucial information about how Apple’s authorization and authentication system works, both for employees and for customers. Whether or not there were signs of this having happened hasn’t been touched by the researcher’s write-up, so we’ll take that as a “maybe.”

Apple has denied that possibility, claiming to see no evidence of that on the logs. The official statement from the company is the following:

At Apple, we vigilantly protect our networks and have dedicated teams of information security professionals that work to detect and respond to threats. As soon as the researchers alerted us to the issues they detail in their report, we immediately fixed the vulnerabilities and took steps to prevent future issues of this kind. Based on our logs, the researchers were the first to discover the vulnerabilities so we feel confident no user data was misused. We value our collaboration with security researchers to help keep our users safe and have credited the team for their assistance and will reward them from the Apple Security Bounty program.




The discussion appeared on TechNadu.