{"id":8158,"date":"2020-10-16T00:00:00","date_gmt":"2020-10-16T00:00:00","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/2020\/10\/16\/apple-white-hat-hack-shows-value-of-pen-testers\/"},"modified":"2023-05-12T14:34:03","modified_gmt":"2023-05-12T14:34:03","slug":"apple-white-hat-hack-shows-value-of-pen-testers","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/networks\/apple-white-hat-hack-shows-value-of-pen-testers\/","title":{"rendered":"Apple White Hat Hack Shows Value of Pen Testers"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
\n

 <\/p>\n

 <\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

The best Cybersecurity Awareness Month<\/a> lesson may have come from Apple, which could ultimately pay bug bounties of around $500,000 to a group of white hat hackers who found 55 vulnerabilities on Apple’s own networks, including 11 critical vulnerabilities.<\/p>\n

The main lesson is pretty simple: No one is safe, and the need for vigilance never ends.<\/p>\n

The second, and potentially more interesting lesson, is that security needs to be a combination of tools – like vulnerability management<\/a>, EDR<\/a>, SIEM<\/a> and firewalls<\/a> – and humans, in the form of ethical hackers<\/a>, pen testers<\/a> and red teams<\/a>.<\/p>\n

From July 6 to October 6, the team of white hat hackers – Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes – “hacked on the Apple bug bounty program,” as Curry, a 20-year-old web security researcher, put it in a nearly 10,000-word account of events on his blog<\/a>. Security pros and researchers have praised Apple for allowing unusually detailed visibility into the vulnerabilities and the hackers’ methods.<\/p>\n

“During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources,” Curry wrote.<\/p>\n

The vast majority of the vulnerabilities have been fixed, some within a matter of hours after Curry’s team alerted Apple. Apple’s bug bounty program isn’t limited to products, offering rewards for any vulnerability “with significant impact to users.”<\/p>\n

Curry’s report is a master class in ethical hacking, detailing the methods and tools used, beginning with reconnaissance and brute force attacks that uncovered VPN<\/a> server flaws and taught the team much about Apple’s applications and authentication and access<\/a> methods. They used the Burp Suite<\/a>, a well-known suite of pentesting<\/a> and vulnerability scanning<\/a> tools, to get started and a few times along the way, in addition to a lot of trial and error, to uncover common issues like cross-site scripting<\/a> (XSS) flaws, SQL injection<\/a> vulnerabilities and misconfigured permissions. They spent a few hundred hours on the project, they estimate.<\/p>\n

Here are the 11 critical vulnerabilities; another 29 were classified as high severity.<\/p>\n