A team of five security researchers studied multiple Apple online services for three months and found as many as 55 fragilities, 11 of which are critical in severity.The defects — including 29 high seriousness, 13 medium extremity and 2 low extreme vulnerabilities — could have permitted a hacker to completely understand both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, recover source code for internal Apple projects, fully understand an industrial control storeroom software used by Apple as well as take over the sessions of Apple employees with the capability of accessing management tools and thoughtful resources.The fault meant a bad actor could easily hijack a user's iCloud account and use all the images, calendar data, videos as well as the documents in addition to forwarding the same exploit to all of their contacts.The findings were announced by Sam Curry along with Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes over a three month duration between July and September.After they were responsibly disclosed to Apple, the iPhone maker took steps to mark the defects within 1-2 business days, with a few others fixed within a short span of 4-6 hours.Till date, Apple has processed over 28 of the vulnerabilities with a total payout of $288,500 as part of its bug bonus program.The analytical bugs as pointed out by Sam Curry and the team include:Remote Code Execution through Authorization and Authentication BypassAuthentication Bypass through Misconfigured Permissions allows Global Administrator AccessCommand Injection through Unsanitized Filename ArgumentRemote Code Execution through Leaked Secret and Exposed Administrator ToolMemory Leak leads to Employee and User Account Compromise allowing entry to various internal appsVertica SQL Injection through Unsanitized Input ParameterWormable Stored XSS allows Attacker to Fully Compromise Victim iCloud AccountFull Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue TrackingServer Side PhantomJS Execution allows an attacker to Access Internal Resources and Recover AWS IAM KeysOne of the Apple domains that was affected included the Apple Distinguished Educators site ("ade.apple.com") that allowed for an authentication outflank using a default password ("###INvALID#%!3"), thus allowing an attacker to access the administrator console and execute random code.Similarly, a fault in the password reset process associated with an application called DELMIA Apriso, a warehouse management solution made it possible to create and change shipments, inventory information, confirm employee badges and also take full control over the software by creating a fake user.

A separate threat was also found out in Apple Books for Authors service that's used by authors to help write and get their books published on the Apple Books platform. Only by using the ePub file upload tool, the researchers were able to operate the HTTP requests with an aim to run inconsistent commands on the "authors.apple.com" server.Among the other evaluative risks revealed by the researchers were those that stemmed from cross-site scripting (XSS) vulnerability in the "www.icloud.com" domain, which operates by just sending a target with iCloud.com or Mac.com address a specially-crafted email that when opened through Apple Mail in the browser, allowed the attacker to steal all the photos and contacts.What's more, the XSS vulnerability was wormable which means that it could be easily propagating by sending a similar email to every iCloud.com or Mac.com address stored in the victim's contacts.Sam Curry in his blog post stated that when they first started this project they had no idea they would spend a little bit over three months working towards its completion. This was in reality meant to be a side project that we would work on every once in a while but with all of the extra free time in the midst of the pandemic, we each ended up putting a few hundred hours into it.Found this article informative? Then don’t forget to follow us on Facebook, LinkedIn and Twitter in order to read more up to date content that we post