A team of five security researchers analyzed several Apple online services for three months and found as many as 55 vulnerabilities, 11 of which are critical in severity.
The flaws — including 29 high severity, 13 medium severity, and 2 low severity vulnerabilities — could have allowed an attacker to "fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources."
The flaws meant a bad actor could easily hijack a user's iCloud account and steal all the photos, calendar information, videos, and documents, in addition to forwarding the same exploit to all of their contacts.
The findings were reported by Sam Curry along with Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes over a three month period between July and September.
After they were responsibly disclosed to Apple, the iPhone maker took steps to patch the flaws within 1-2 business days, with a few others fixed within a short span of 4-6 hours.
So far, Apple has processed about 28 of the vulnerabilities with a total payout of $288,500 as part of its bug bounty program.
The critical bugs pointed out by Sam Curry, and the team are as follows:
- Remote Code Execution via Authorization and Authentication Bypass
- Authentication Bypass via Misconfigured Permissions allows Global Administrator Access
- Command Injection via Unsanitized Filename Argument
- Remote Code Execution via Leaked Secret and Exposed Administrator Tool
- Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications
- Vertica SQL Injection via Unsanitized Input Parameter
- Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
- Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
- Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources
- Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking
- Server Side PhantomJS Execution allows an attacker to Access Internal Resources and Retrieve AWS IAM Keys
One of the Apple domains that were impacted included the Apple Distinguished Educators site ("ade.apple.com") that allowed for an authentication bypass using a default password ("###INvALID#%!3"), thus permitting an attacker to access the administrator console and execute arbitrary code.
Likewise, a flaw in the password reset process associated with an application called DELMIA Apriso, a warehouse management solution, made it possible to create and modify shipments, inventory information, validate employee badges, and even take full control over the software by creating a rogue user.
A separate vulnerability was also discovered in Apple Books for Authors service that's used by authors to help write and get their books published on the Apple Books platform. Specifically, using the ePub file upload tool, the researchers were able to manipulate the HTTP requests with an aim to run arbitrary commands on the "authors.apple.com" server.
Among the other critical risks revealed by the researchers were those that stemmed from cross-site scripting (XSS) vulnerability in the "www.icloud.com" domain, which operates by just sending a target with iCloud.com or Mac.com address a specially-crafted email that, when opened via Apple Mail in the browser, allowed the attacker to steal all the photos and contacts.
What's more, the XSS vulnerability was wormable, meaning it could be easily propagating by sending a similar email to every iCloud.com or Mac.com address stored in the victim's contacts.
"When we first started this project we had no idea we'd spend a little bit over three months working towards its completion," Sam Curry noted in his blog post. "This was originally meant to be a side project that we'd work on every once in a while, but with all of the extra free time with the pandemic we each ended up putting a few hundred hours into it."