Hackers Discover 55 Apple Vulnerabilities, Awarded Nearly $300,000 in Bounties [Updated]

[Grohowiak]

Why don't you guys read the article? They have gotten money for FOUR exploits SO FAR. They WILL GET MORE MONEY.

It shows 4 payments but it doesn't state 4 exploits. Considering there are words like "vulnerabilities" && "system memory leaks" then the text clearly suggest there were more discoveries than one in each segment (payment breakdown).

As part of Apple's Security Bounty Program, the group was able to receive considerable payments for some of their work. As of Sunday, October 4, they had received four payments totaling $51,500. This included $5,000 for disclosing the full name of iCloud users, $6,000 for finding IDOR vulnerabilities, $6,500 for access to internal corporate environments, and $34,000 for discovering system memory leaks containing customer data.

 

[Mousse]

Just me, but the rewards is pittance. They'll attract more black hats than white hats. Black hats now knows that there were lots of discovered vulnerabilities. They'll go poking for others, but won't report them to Apple for chump change. They'll cash in by selling to others, most likely China or the Feds.

 

[johannnn]

It shows 4 payments but it doesn't state 4 exploits. Considering there are words like "vulnerabilities" && "system memory leaks" then the text clearly suggest there were more discoveries than one in each segment (payment breakdown).

As part of Apple's Security Bounty Program, the group was able to receive considerable payments for some of their work. As of Sunday, October 4, they had received four payments totaling $51,500. This included $5,000 for disclosing the full name of iCloud users, $6,000 for finding IDOR vulnerabilities, $6,500 for access to internal corporate environments, and $34,000 for discovering system memory leaks containing customer data.

"However, it appears that Apple does payments in batches and will likely pay for more of the issues in the following months."

 

[BGPL]

50k for 55 discoveries. On average, it doesn't seem to be worthwhile... I would think they would pay more since lawsuits and internal software releases would cost exponentially more. Always looking for the best deal, even with iOS security.

 

[a m u n]

User privacy and security are #1.

Be sure:

Overall, Apple was very responsive to our reports. The turn around for our more critical reports was only four hours between time of submission and time of remediation.

Also:

To be brief: Apple's infrastructure is massive.

They own the entire 17.0.0.0/8 IP range, which includes 25,000 web servers with 10,000 of them under apple.com, another 7,000 unique domains, and to top it all off, their own TLD (dot apple). Our time was primarily spent on the 17.0.0.0/8 IP range, .apple.com, and .icloud.com since that was where the interesting functionality appeared to be.

---

We've obtained permission from the Apple security team (product-security@apple.com) to publish this and are doing so under their discretion. All of the vulnerabilities disclosed here have been fixed and re-tested.

That seems to be quite a low payment for finding 55 problems. Each guy made about $850/week.

Did you read the article?

However, it appears that Apple does payments in batches and will likely pay for more of the issues in the following months.

 

[Grohowiak]

"However, it appears that Apple does payments in batches and will likely pay for more of the issues in the following months."

I just replied to your incorrect BOLD statements
Also "will likely" might turn out "not likely" for all I know. It's an assumption not a definitive statement.

 

[macos9rules]

What's up with the carpet screenshot? Am I missing something?

 

[MrDerby01]

This is definitely one area I feel is Apple's strong points. The desire to squash out the bugs. Best part is they can mass update everyone within the iOS support plan. You can not find this type of effort with Google, and nor do they have the power to compel the carriers to update as well. I love Android for the emulators but security... you have to know out the door what your honestly getting. +1 to Apple.

 

[neoelectronaut]

$50,000 seems like chump change for what appears to be fairly major vulnerabilities.

 

[Maconplasma]

You appeat to be in the wrong thread. This is about Apple’s problems.

Exactly because Macrumors doesn't talk about other brands of products here ever. SMH.

 

[Grohowiak]

Exactly because Macrumors doesn't talk about other brands of products here ever. SMH.

Did you know that the diameter of our solar system is 287.46 billion km ?

 

[now i see it]

Mac & iOS users are living in a dream world

 

[mono1980]

I smell lawsuits coming.

Why is that? Many companies use bounties to improve their security.

 

[Kabeyun]

User privacy and security are #1.

Exactly. Well put. That’s why, knowing there’s no such thing as an unhackable mainstream OS, Apple now has a bug bounty program, paid them quickly, and promptly remediated the bugs they found. I would’ve had the same comment.

 

[Dekema2]

Pretty stingy for a trillion dollar company.

 

[justperry]

This seems like a low payout to me for the amount of effort that went in. Five people spent three months on this and were apparently quite prolific - they found 55 different vulnerabilities that Apple evidently knew nothing about. I feel like somebody able to find these kinds of bugs is probably worth at least $100K/year, and maybe 2-5 times that amount. So they had 5 of these people for 3 months = 15 months or 1.25 years. Apple should be paying a minimum of $125K for it all, and maybe as much as $600K.

On the other hand, though, how much value does Apple get out of having these vulnerabilities solved? Were they ever going to be discovered by malicious actors otherwise? How much damage would those actors have been able to do?

I don't disagree, just a remark, we don't know if they where on it full time.

 

[CarlJ]

"launch a worm capable of automatically taking over a victim's iCloud account"

You'd think that such a bug would warrant the one million dollar bounty. If not that, then what warrants it? I mean the hackers could literally take over Apple employee accounts, see secret hidden product information and automatically take over entire iCloud accounts. Those are insane security holes.

Conspicuously missing from the summary is a list of precisely what conditions are necessary to exploit the vulnerability. If, say, this one could only be triggered when the date is past the year 3000, during a leap second on February 29th and the user is in zero G and the user’s name starts with “™”... then it’s a serious problem (because of the potential consequences), but not one warranting the one million dollar bounty.

 

[b656]

$50,000? Come on, Apple.
You should pay them $50,000 x 55.

 

[Naraxus]

$50k..........el oh el.....Apple on the cheap once again

 

[I7guy]

$50k..........el oh el.....Apple on the cheap once again

Seems like the researchers that got the stipend, still opted for the stipend instead of going rogue with them. That seems to say they don't share your point of view.

 

[Apple_Robert]

Good for the hacks. The more vulnerabilities found, the better for all of us.

 

[centauratlas]

55 vulnerabilities huh? As opposed to the 100,000 on Windows?

Tu quoque?

Anything over 0 is very concerning if severe enough. The more security on iOS (tvOS, iPadOS etc) and macOS the better. Windows too.

 

[Mick-Mac]

Seems like the researchers that got the stipend, still opted for the stipend instead of going rogue with them. That seems to say they don't share your point of view.

Nobody knows for sure what was done with the security exploit beforehand (including me). My guess would be that Apple (and others) would/should only pay out to the first people who bring the exploit to their attention. If the bounty is paltry then that opens the door to running the acceptable risk of making a little extra shady cash on the side before submitting it for bounty. If the bounty is appealing enough you wouldn't run that risk.

 

[martinX]

The territory is uncharted.

 

[I7guy]

Nobody knows for sure what was done with the security exploit beforehand (including me). My guess would be that Apple (and others) would/should only pay out to the first people who bring the exploit to their attention. If the bounty is paltry then that opens the door to running the acceptable risk of making a little extra shady cash on the side before submitting it for bounty. If the bounty is appealing enough you wouldn't run that risk.

It doesn’t matter to apple is my guess. But if these researchers double deal, they could set themselves up for some unpleasantness in the future. Again as I noted above whatever the researchers uncovered and what they got paid for, imo, would depend a lot on the vulnerability.