Hackers like to maintain that vulnerabilities are always there, and finding them is only a matter of looking deep for long enough. This is also the case for Apple’s corporate network, which was vulnerable to exploitation for months, as proven by a skillful hacking team.
Led by 20-year-old bug bounty hunter Sam Curry, a team of professional hackers consisting of five experts found flaws in Apple’s networks. These could have affected iCloud accounts, expose internal Apple projects, compromise warehouse software, take over employee sessions, and access management tools.
The hackers were present in Apple’s network for three months, discovering 55 vulnerabilities along the way, 11 of which were critical. More specifically, the nastiest of the flaws were the following:
Read More: Apple T2 Is Vulnerable to Hacking and There Can Be No Fix for It
As the hackers point out, Apple maintains a massive infrastructure, consisting of 25,000 web servers and 7,000 unique domains. Thus, their discoveries don’t cover the entire spectrum of what could still be lying there, so a follow-up penetration testing should be considered a certainty.
For the flaws that were discovered this time, the researchers already received $288,000, while the total amount will definitely surpass the payout of half a million USD. Apple was quick to fix all of the reported vulnerabilities, sometimes in a couple of hours following Curry’s reporting.
The worrying part in this report is that at least two critical flaws were found almost immediately, using automated scanning. These flaws could have enabled malicious actors to access internal VPN servers and obtain crucial information about how Apple’s authorization and authentication system works, both for employees and for customers. Whether or not there were signs of this having happened hasn’t been touched by the researcher’s write-up, so we’ll take that as a “maybe.”
Apple has denied that possibility, claiming to see no evidence of that on the logs. The official statement from the company is the following: