Hacking Team Found 11 Critical Flaws on Apple’s Corporate Network

By Bill Toulas / October 9, 2020

Hackers like to maintain that vulnerabilities are always there, and finding them is only a matter of looking deep for long enough. This is also the case for Apple’s corporate network, which was vulnerable to exploitation for months, as proven by a skillful hacking team.

Led by 20-year-old bug bounty hunter Sam Curry, a team of professional hackers consisting of five experts found flaws in Apple’s networks. These could have affected iCloud accounts, expose internal Apple projects, compromise warehouse software, take over employee sessions, and access management tools.

The hackers were present in Apple’s network for three months, discovering 55 vulnerabilities along the way, 11 of which were critical. More specifically, the nastiest of the flaws were the following:

  1. Remote Code Execution via Authorization and Authentication Bypass
  2. Authentication Bypass via Misconfigured Permissions allows Global Administrator Access
  3. Command Injection via Unsanitized Filename Argument
  4. Remote Code Execution via Leaked Secret and Exposed Administrator Tool
  5. Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications
  6. Vertica SQL Injection via Unsanitized Input Parameter
  7. Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  8. Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  9. Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources
  10. Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking
  11. Server-Side PhantomJS Execution allows an attacker to Access Internal Resources and Retrieve AWS IAM Keys

Read More: Apple T2 Is Vulnerable to Hacking and There Can Be No Fix for It

As the hackers point out, Apple maintains a massive infrastructure, consisting of 25,000 web servers and 7,000 unique domains. Thus, their discoveries don’t cover the entire spectrum of what could still be lying there, so a follow-up penetration testing should be considered a certainty.

For the flaws that were discovered this time, the researchers already received $288,000, while the total amount will definitely surpass the payout of half a million USD. Apple was quick to fix all of the reported vulnerabilities, sometimes in a couple of hours following Curry’s reporting.

The worrying part in this report is that at least two critical flaws were found almost immediately, using automated scanning. These flaws could have enabled malicious actors to access internal VPN servers and obtain crucial information about how Apple’s authorization and authentication system works, both for employees and for customers. Whether or not there were signs of this having happened hasn’t been touched by the researcher’s write-up, so we’ll take that as a “maybe.”

Apple has denied that possibility, claiming to see no evidence of that on the logs. The official statement from the company is the following:

At Apple, we vigilantly protect our networks and have dedicated teams of information security professionals that work to detect and respond to threats. As soon as the researchers alerted us to the issues they detail in their report, we immediately fixed the vulnerabilities and took steps to prevent future issues of this kind. Based on our logs, the researchers were the first to discover the vulnerabilities so we feel confident no user data was misused. We value our collaboration with security researchers to help keep our users safe and have credited the team for their assistance and will reward them from the Apple Security Bounty program.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: