Apple White Hat Hack Shows Value of Pen Testers

SHARE

The best Cybersecurity Awareness Month lesson may have come from Apple, which could ultimately pay bug bounties of around $500,000 to a group of white hat hackers who found 55 vulnerabilities on Apple's own networks, including 11 critical vulnerabilities.

The main lesson is pretty simple: No one is safe, and the need for vigilance never ends.

The second, and potentially more interesting lesson, is that security needs to be a combination of tools - like vulnerability management, EDR, SIEM and firewalls - and humans, in the form of ethical hackers, pen testers and red teams.

From July 6 to October 6, the team of white hat hackers - Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes - "hacked on the Apple bug bounty program," as Curry, a 20-year-old web security researcher, put it in a nearly 10,000-word account of events on his blog. Security pros and researchers have praised Apple for allowing unusually detailed visibility into the vulnerabilities and the hackers' methods.

"During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources," Curry wrote.

The vast majority of the vulnerabilities have been fixed, some within a matter of hours after Curry's team alerted Apple. Apple's bug bounty program isn't limited to products, offering rewards for any vulnerability "with significant impact to users."

Curry's report is a master class in ethical hacking, detailing the methods and tools used, beginning with reconnaissance and brute force attacks that uncovered VPN server flaws and taught the team much about Apple's applications and authentication and access methods. They used the Burp Suite, a well-known suite of pentesting and vulnerability scanning tools, to get started and a few times along the way, in addition to a lot of trial and error, to uncover common issues like cross-site scripting (XSS) flaws, SQL injection vulnerabilities and misconfigured permissions. They spent a few hundred hours on the project, they estimate.

Here are the 11 critical vulnerabilities; another 29 were classified as high severity.

  • Remote Code Execution via Authorization and Authentication Bypass
  • Authentication Bypass via Misconfigured Permissions allows Global Administrator Access
  • Command Injection via Unsanitized Filename Argument
  • Remote Code Execution via Leaked Secret and Exposed Administrator Tool
  • Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications
  • Vertica SQL Injection via Unsanitized Input Parameter
  • Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  • Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  • Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources
  • Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking
  • Server Side PhantomJS Execution allows attacker to Access Internal Resources and Retrieve AWS IAM Keys

So far Apple has paid the team $288,000 in bounties, and the total could eventually exceed $500,000.

Tools and ethical hackers both needed

We asked Curry and a few vulnerability management vendors if the ethical hacking team's work could be automated, and the answer was unanimous: organizations need both tools - like vulnerability management and breach and attack simulation - and professionals to stay on top of security issues.

"If automated tools could identify all of the vulnerabilities found by penetration testers/ethical hackers, then there wouldn't be any ethical hackers," Curry told eSecurity Planet. "In a world where those scanners did exist, the tools would likely be open sourced and security vulnerabilities would be solved, making me and many others jobless."

Bharat Jogi, senior manager for vulnerability and threat research at Qualys, agreed. "Both vulnerability management tools and specialized security teams are essential. Vulnerability management tools quickly catch the low-hanging fruits and the known vulnerabilities and allow the security teams to focus on the site-specific, manual work."

"Discovering and exploiting vulnerabilities in any organization is a multi-step process, from reconnaissance to validation to successful exploitation," Jogi told eSecurity Planet. "And to do this well, it requires a combination of tools that can perform automated vulnerability assessment at scale to identify the vulnerable pieces of software or services, followed by careful manual review and analysis of vulnerabilities to exploit them. And it was no different in this case. Vulnerability assessment and management tools play a major role in identifying the attack surface, which then can be used by specialized teams to sharpen their focus on high-value vulnerabilities and exploit them."