Hackers Discover 55 Apple Vulnerabilities, Awarded Nearly $300,000 in Bounties [Updated]

[DaveP]

The bounties do seem low, but we also don't know the attack vectors. While the vulnerabilities seem very serious, it may require a particular setup or access that would be very improbable. Or, maybe they are just low...

 

[Expos of 1969]

Exactly. Well put. That’s why, knowing there’s no such thing as an unhackable mainstream OS, Apple now has a bug bounty program, paid them quickly, and promptly remediated the bugs they found. I would’ve had the same comment.

Took Apple a long time to establish a bug bounty program and they probably only did so as the bad press reports were mounting.

 

[Schismz]

I, too, am glad they reported some, but we don't know that they reported them all though. They might have found 56 and sold the last one to someone willing to pay much more since it was more significant.

Or they might have found 55 out of 60 in the area they were looking, and someone else (e.g. NSA, FBI, CIA, Russia, China, UK, Germany, Australia, NK, Cuba etc) could have found another 5.

It is great they are seemingly white hat hackers and reporting them responsibly, but no one can say that with any certainty.

For black hat hackers, this would be a perfect cover. Find a bunch of bugs, report them, to get access to the special phones. Use that special access to keep reporting 99% of the ones found, while keeping the last 1% of significant bugs for sale to the highest bidder (anonymously of course).

Well... they didn't exactly make very much money from Apple. There are many companies in existence whose entire business model is selling 0-day exploits to the highest bidder. In some jurisdictions that's called racketeering or organized crime as opposed to a business plan, but <shrug> relocate to a jurisdiction that's fine with it and doesn't care.

FWIW the #1 buyer of 0-days is of course the US government.

I'm pretty sure this is just the tip of the Swiss-cheese iceberg. Checkra1n is doing fun things to the T2 that Apple doesn't highlight much, 'cuz it can't fix them.

Just sayin' It's not like Apple is unique, that's every OS and the internet. If you want security, then don't toss it in someone else's cloud and don't connect it to tEh internet.

5 minutes after building a better mousetrap, inevitably, a better mouse emerges <-- infinite loop.

 

[jonnysods]

Good for these guys, way to hustle. Not a full time salary, but a decent side hustle.

 

[Seoras]

Only $50k for that eye watering list of holes? They should get $50k each and a xmas bonus.

 

[Analog Kid]

Apple needs to raise their bounties. These guys pulled in $3k a month doing this? That's not a sufficient motivator, and relies too strongly on their ethics to sell what they know to what is surely the lower bidder.

The way I see it, this kind of security testing requires highly skilled people who can easily make better money doing other things. If that's not true, and these guys found these holes anyway, then there are way too many holes. Either way, Apple should be paying more to sort these out.

The goal should be to have a high enough bounty that your system is secure enough you don't have to pay the bounty.

 

[Kabeyun]

[1] Took Apple a long time to establish a bug bounty program and [2] they probably only did so as the bad press reports were mounting.

1 - yes, they took longer than they should’ve
2 - conjecture
3 - my statement is still true

 

[jimbobb24]

Finding these vulnerabilities are so valuable if I were Apple I would pay double or triple this. I would want everyone looking for them to make the code better.

 

[Kabeyun]

Pretty stingy for a trillion dollar company.

Bug bounties are not typically proportional to corporate net worth. They have going rates, with zero-day exploits being the most valuable.

 

[69Mustang]

Neither response is accurate.

Pretty stingy for a trillion dollar company.

They aren't stingy. The situation was fluid and still updating. Apple has thus far paid over $288K and reportedly could end up paying more than $500K. Hardly stingy.

Bug bounties are not typically proportional to corporate net worth. They have going rates, with zero-day exploits being the most valuable.

The $50K would have hardly been the going rate for 11 critical vulnerabilities. Had it been $50K total, that would have been stingy for 55 disclosures. Since that wasn't the case, it's moot. When it's all said and done, Apple will have paid an amount that shows appreciation for the work done and incentivizes others to disclose to them instead of vulnerability brokers and 3-letter agencies.
Details at Ars: https://arstechnica.com/information...-of-internal-apple-network-get-288000-reward/

 

[Robert.Walter]

Apple is vastly under compensating these researchers. They should be getting bonuses 10x as large as they do.

By being cheap, Apple risks some researchers selling their discoveries to malicious 3rd parties.

 

[RustyIron]

Five guys, three months, fifty thousand dollars. I hope these guys didn't quit their day jobs.

 

[I7guy]

Apple is vastly under compensating these researchers. They should be getting bonuses 10x as large as they do.

By being cheap, Apple risks some researchers selling their discoveries to malicious 3rd parties.

Five guys, three months, fifty thousand dollars. I hope these guys didn't quit their day jobs.

If you read the post above yours and clicked on the link, you wouldn’t be so quick to criticize Apple. But carry on.

 

[JagRunner]

What are all the people that only trust Apple with their CC information going to do now that they know Apple isn’t perfectly secure? 🤣

 

[travelsheep]

$51,500 / 5 men / 3 months = $3,500 per month before taxes and expenses. If this was full time by seasoned professionals that perform above Apple IT skill levels then the bounty hunt can hardly be called "considerable payments"...

 

[I7guy]

What are all the people that only trust Apple with their CC information going to do now that they know Apple isn’t perfectly secure? 🤣

Imagine how bad it would be if one had to give their cc all over the net and vulnerabilities were never patched at these multiple third parties. 😂

 

[szw-mapple fan]

wow. just glad they (hackers) reported it to apple so they (apple) could fix the vulnerabilities.

Damn, if you didn’t clarify I would have thought you were saying they (apple) reported it to apple so they (hackers) could fix the vulnerabilities.

 

[szw-mapple fan]

Five guys, three months, fifty thousand dollars. I hope these guys didn't quit their day jobs.

Competent whitehat hackers like them are paid a considerable amount by different companies. It was obviously worth it to them for their time to get the award. I very much doubt they were doing this for most of the 3 months.

 

[JagRunner]

Imagine how bad it would be if one had to give their cc all over the net and vulnerabilities were never patched at these multiple third parties. 😂

imagine being scared to use your card outside the Apple App Store.

 

[I7guy]

imagine being scared to use your card outside the Apple App Store.

Yeah, imagine wanting to spend more time reconciling the charges than needed. But if it’s your desire to spread the wealth, charge around, give hour cc to multiple unknown third parties...I’m sure android can accommodate you.

 

[JagRunner]

Yeah, imagine wanting to spend more time reconciling the charges than needed. But if it’s your desire to spread the wealth, charge around, give hour cc to multiple unknown third parties...I’m sure android can accommodate you.

ive been using CCs all over the place for decades. I’ve probably had ONE fraudulent charge In that entire Time. CC company took care of it swiftly.

It’s ok to come out into the real world. You’ll be ok lol

 

[MacBH928]

I always want to know when hackers try to find a vulnerability, where do they start?

either way, $50K is peanuts for 55 issues on a company the size of Apple. They should have gave them $500K, if someone found those vulnerabilities people will be suing Apple like crazy.

 

[I7guy]

ive been using CCs all over the place for decades. I’ve probably had ONE fraudulent charge In that entire Time. CC company took care of it swiftly.

It’s ok to come out into the real world. You’ll be ok lol

Actually, I've had a spate of fraudulent charges over the years. Yeah, so it's nice not to worry about that with Apple. And if it does come to pass, I know it will be dealt with in a reasonable manner.

It's really ok, you're allowed to admit it's (the app store) a pretty good system.

 

[Stratus Fear]

MacRumors really should update this post. They've now received nearly $300k in payments. Apparently Apple does not pay in lump but in batches as they confirm and fix vulnerabilities.

Source: https://threatpost.com/3-month-apple-hack-vulnerabilities-critical/159988/

 

[iAssimilated]

Neither response is accurate.

They aren't stingy. The situation was fluid and still updating. Apple has thus far paid over $288K and reportedly could end up paying more than $500K. Hardly stingy.

The $50K would have hardly been the going rate for 11 critical vulnerabilities. Had it been $50K total, that would have been stingy for 55 disclosures. Since that wasn't the case, it's moot. When it's all said and done, Apple will have paid an amount that shows appreciation for the work done and incentivizes others to disclose to them instead of vulnerability brokers and 3-letter agencies.
Details at Ars: https://arstechnica.com/information...-of-internal-apple-network-get-288000-reward/

MacRumors really should update this post. They've now received nearly $300k in payments. Apparently Apple does not pay in lump but in batches as they confirm and fix vulnerabilities.

Source: https://threatpost.com/3-month-apple-hack-vulnerabilities-critical/159988/

This! Yes, I too, believe MR should update this article since new information has come out showing these researchers are getting way more money than originally stated. I applaud their work and I am happy Apple is compensating them appropriately.

EDIT: It appears MR has updated the article. Thank you!