domingo, 11 de outubro de 2020

55 Apple vulnerabilities risked iCloud account takeover, data theft

 Por SudaisAsif em 09/10/2020 no site HackHead





Bug bounty programs happen to be effective as they offer independent ethical hackers the motivation to help companies find vulnerabilities.

A recent case is a testimony to this where a team of cyber security researchers has succeeded in finding a total of 55 vulnerabilities in Apple’s networks over a course of 3 months. The names and Twitter handle of researchers participated in Apple’s bug bounty program are:

Meanwhile, the 55 vulnerabilities were classified as the following:

  • 11 as critical due to the extreme threat they posed of user data theft and access to Apple’s main network
  • 29 as high severity
  • 13 as medium severity
  • 2 as low severity 

All of these distributively include remote code execution, memory leaks, SQL injections & cross-site scripting (XSS) attacks, the details of which are available on the researchers’ official blog post.

Elaborating a bit on the consequences of the vulnerabilities, there were many. First, the iCloud accounts of users could be accessed using a worm leading to a serious privacy breach and potential phishing attacks.

Secondly, not only could Apple’s proprietary source code of its projects be exposed but the user sessions of Apple employees could also be taken over resulting in the attacker’s control “management tools and sensitive resources”.

Thirdly, Apple uses industrial control warehouse software which would also have been compromised. The following list comprises of first 10 vulnerabilities reported by the researchers:

  • Remote Code Execution via Authorization and Authentication Bypass
  • Authentication Bypass via Misconfigured Permissions allows Global Administrator Access
  • Command Injection via Unsanitized Filename Argument
  • Remote Code Execution via Leaked Secret and Exposed Administrator Tool
  • Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications
  • Vertica SQL Injection via Unsanitized Input Parameter
  • Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  • Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  • Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources
  • Blind XSS allows the Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking.

The full list of vulnerabilities and technical details are available on the researchers’ blog post.

Currently, the security researchers have been paid a total of $288,500 but more payments are expected to come in which may go up to $500,000.

On the other hand, all the disclosed vulnerabilities have been fully fixed by 6th October which can put users at ease as their data is no more at risk. Nevertheless, credit also goes to Apple since they responded to every vulnerability report in a time span of 4-48 hours which shows a sense of responsibility by the tech giant.

For the future, other companies should learn from this incident and implement vulnerability disclosure and bug bounty programs along with dedicated cybersecurity professionals to handling such reports. This can go a long way in mitigating the effects of such an incident.