A group of benevolent hackers exposed 55 vulnerabilities at Apple

In a blog post last week, Sam Curry detailed how he and four others hacked Apple over the course of three months. The team found 55 vulnerabilities, 11 of which were deemed critical. As the team notified the company, Apple reportedly resolved the issues in a maximum of two business days and, in some instances, as little as a few hours. As of Tuesday, most of the vulnerabilities have been addressed and the team had been compensated $288,000 for their findings.

Hacking Apple — Curry, along with Brett Buerhaus, Ben Sadeghipour, Samuel Erb, Tanner Barnes, turned their hacking efforts to the Apple bug bounty program between July 6 to October 6. They undertook the task in response to a tweet about the program offering $100,000 for reports on issues that could bring harm to Apple’s users.

In that time, they found dozens of vulnerabilities — 11 critical, 29 high-severity, 13 medium-severity, and two low-severity issues. Two of the most egregious problems exposed users’ iCloud accounts and allowed hackers to gain administrative control of the Apple Distinguished Educator (ADE) forum.

By exploiting iCloud and Apple Mail’s integration, the hackers could send emails with characters that granted access to the receiver’s iCloud upon opening them. This worm vulnerability applied to users with Mac.com or iCloud.com addresses, but could easily spread to multiple users from there.

For the ADE forum, they took advantage of a default password in order to brute-force the creation of an account with administrative privileges. In addition to code execution, they also had access to users' personal information, including their full names and employers.

A surprising payday — When the team shared their findings with Apple, they received $51,500 for reports on four vulnerabilities, according to Ars Technica. Once Apple starting digging deeper into the list, however, Curry was notified of an additional $237,000 for 28 other vulnerabilities. It’s estimated that the team will ultimately receive about half a million dollars when all of the reports are assessed. That's still good value for Apple when you consider the potential harm those looking to expose those vulnerabilities could manage.