Apple Pays $288,000 To White-Hat Hackers Who Had Run of Company's Network (arstechnica.com) 24
An anonymous reader quotes a report from Ars Technica: For months, Apple's corporate network was at risk of hacks that could have stolen sensitive data from potentially millions of its customers and executed malicious code on their phones and computers, a security researcher said on Thursday. Sam Curry, a 20-year-old researcher who specializes in website security, said that, in total, he and his team found 55 vulnerabilities. He rated 11 of them critical because they allowed him to take control of core Apple infrastructure and from there steal private emails, iCloud data, and other private information.
Apple promptly fixed the vulnerabilities after Curry reported them over a three-month span, often within hours of his initial advisory. The company has so far processed about half of the vulnerabilities and committed to paying $288,500 for them. Once Apple processes the remainder, Curry said, the total payout might surpass $500,000. "If the issues were used by an attacker, Apple would've faced massive information disclosure and integrity loss," Curry said in an online chat a few hours after posting a 9,200-word writeup titled We Hacked Apple for 3 Months: Here's What We Found. "For instance, attackers would have access to the internal tools used for managing user information and additionally be able to change the systems around to work as the hackers intend." An Apple representative issued a statement that said: "At Apple, we vigilantly protect our networks and have dedicated teams of information security professionals that work to detect and respond to threats. As soon as the researchers alerted us to the issues they detail in their report, we immediately fixed the vulnerabilities and took steps to prevent future issues of this kind. Based on our logs, the researchers were the first to discover the vulnerabilities so we feel confident no user data was misused. We value our collaboration with security researchers to help keep our users safe and have credited the team for their assistance and will reward them from the Apple Security Bounty program."
Apple promptly fixed the vulnerabilities after Curry reported them over a three-month span, often within hours of his initial advisory. The company has so far processed about half of the vulnerabilities and committed to paying $288,500 for them. Once Apple processes the remainder, Curry said, the total payout might surpass $500,000. "If the issues were used by an attacker, Apple would've faced massive information disclosure and integrity loss," Curry said in an online chat a few hours after posting a 9,200-word writeup titled We Hacked Apple for 3 Months: Here's What We Found. "For instance, attackers would have access to the internal tools used for managing user information and additionally be able to change the systems around to work as the hackers intend." An Apple representative issued a statement that said: "At Apple, we vigilantly protect our networks and have dedicated teams of information security professionals that work to detect and respond to threats. As soon as the researchers alerted us to the issues they detail in their report, we immediately fixed the vulnerabilities and took steps to prevent future issues of this kind. Based on our logs, the researchers were the first to discover the vulnerabilities so we feel confident no user data was misused. We value our collaboration with security researchers to help keep our users safe and have credited the team for their assistance and will reward them from the Apple Security Bounty program."
I would have thought.. (Score:3)
They need to out source this kind of "detective" work?
Re:I would have thought.. (Score:5, Insightful)
Why not both? Bug bounties are a great way to reward researchers for responsible disclosure and discourage them from selling them to the grey/black market.
Another way to think of it if you're a huge corp -- security researchers are going to be looking for weaknesses anyway. By having a bug bounty and a responsive security team, you incentivize those researchers to disclose responsibility, let you patch before publication so script kiddies don't just copy past, and give them the credit and the reward for doing so. The researcher benefit by being attributed for the vulnerability report and getting the bounty as well. Customers benefit by having the security issues addressed.
This is as close to a win-win-win as you're ever going to find.
Re: (Score:2)
Here's a possible downside with bug bounties...
Let's say you develop SW/systems for Apple and happen to notice a security issue. Now, you could report the issue, or maybe just fix it - but you know it'll involve meetings and probably take some time before it'll actually get fixed. But you happen to have this friend, and if you tell him about it instead, he can report it and make some money. Further, as it's reported externally, perhaps it'll even get fixed quicker... Hopefully your friend will share some
Re: (Score:2)
Of course you're right: there's plenty of money to be made rorting one's employer as you described.
But woe to him who is caught.
The negative publicity: don't expect to ever get a decent job again. (No more writing software / systems for Apple.)
The costly lawsuit: might even cost more than you gained from the rort.
Jail time: don't drop the soap.
All for a few hundred thousand dollars, that you may not even get because your "friend" decides he'll keep it all for himself. So then you plot of a way to have him c
The solution is well known (Score:2)
https://dilbert.com/search_res... [dilbert.com]
Re: (Score:1)
Great job finding the comic!!! I actually had that one in mind when I wrote my post :-)
I definitely agree creating bugs and colluding with someone to get a bounty would be an overall crappy strategy (I also think it'd be unseemly and immoral). However, as a policy for a company with lots of employees, there might possibly be some that end up taking a wrong turn. So the bug bounty might then, theoretically, be a law of "unintended consequences" [1] or "perverse incentive" [2]:
A perverse incentive is an incentive that has an unintended and undesirable result that is contrary to the intentions of its designers. Perverse incentives are a type of negative unintended consequence. A classic example of a perverse incentive occurred when the British government offered a bounty for dead cobras with the intent of decreasing the wild cobra population. However, enterprising people began to breed cobras for the income. When the government became aware of this, the reward program was scrapped, causing the cobra breeders to set the now-worthless snakes free. As a result, the wild cobra population further increased. The term cobra effect was coined to describe a situation where an attempted solution to a problem actually makes the problem worse.
[1] https://en.wikipedia.org/wi [wikipedia.org]
Re: (Score:3)
Especially in terms of security it is good to have someone outside taking a look.
When ever a problem is found and it goes down the food chain, undoubtedly someone is asked "Why Didn't you think of that?" the honest response is because they didn't think of that.
A company such as Apple, can create conditions which the policies and procedure where they may be a net positive, can often put some security holes, that no one really thought of, and all the people who follow the policy and procedure will not find.
Re: (Score:2)
Tech companies have moved beyond employees (too expensive), beyond contractors (still have to pay them every week) to paying people only for results. You can't directly offer minimum wage, but think of the potentially hundreds of people who didn't get paid at all while working on the same job.
Re:I would have thought.. (Score:4, Insightful)
Re: (Score:2)
A company such as Apple would have had an internal team doing this kind of stuff.
They need to out source this kind of "detective" work?
Adding an external audit to internal security controls is a perfectly normal business practice. Leave it to an Apple-hating editor to make the headline give the impression that Apple has been scammed.
Hacker online challenges worth the effort! Learn a (Score:5, Insightful)
From linked article "After a while, we sent an HTTP request to an OAuth endpoint in an attempt to generate an authorization bearer ... Our user account, even though its permissions were intended to be limited to authorization and resetting our password, could generate a bearer which had permission to access the API version of the application."
The 2019 NSA Codebreaker Challenge had a related variant of this type of vulnerability. Lol. Bearer tokens allow anyone with access to it to use it. Needless to say, very strict limitations should be placed on the use of these puppies. The 2019 NSA Codebreaker Challenge vulnerability (that participants had to discover) was that an OAuth token verification mechanism didn't check user id of ther person submitting it. In effect, it was a bearer token! The creators of this challenge really know their sh*t!
Shows you that details matter in network security. Knowledge is power. Learn and earn, baby!!
Re: Hacker online challenges worth the effort! Lea (Score:2)
Here's a nice write up that 2019 Challenge task solutions. https://armerj.github.io/CodeB... [github.io]
The Colored Hats Myth (Score:1)
How is this still a thing? Look at what is going on in the world around you, do you really think that anyone with this level of technical skill is going to be so magnanimous that they are just going to remind you to lock your doors? Telling you about a security flaw like this means they got what they came for and they want you to patch it so that no one else grabs it after them; which would decrease the resale value of whatever it is. Maybe it's credit card numbers, maybe it's a golden ticket. But you just
Re: The Colored Hats Myth (Score:3)
Because most people aren't sociopath criminal wannabes
Risk (Score:2)
If you are a total sociopath, you do the algebra:
Get paid some guaranteed amount and not risk going to jail. Also, get some recognition, publicity, and more work.
Or, possibly get paid more, receive few fringe benefits, and have the FBI after you.
That's if you are a total sociopath. Otherwise, you don't do it because it is wrong.
Re: (Score:3)
As someone else said, not everyone is a sociopath. I'll add something other reasons for those who are; freedom, paychecks and benefits. White hats get to have those things. Black hats need to worry about them.
While their are individual black hats that can make more than the average white hat, the average black hat doesn't. It's a phenomenon talked about in Freakonomics and covered in a well known TED talk on McDonalds workers vs gangbangers. Turns out McDonalds workers are better financially than gang bange
Securing systems (Score:2)
It's a sad state of affairs that systems and networks are so hard to secure.
Re: (Score:2)
That's because the problem ia asymmetrical. If you're a hacker, you're looking for an opening. Any opening will do.
But if you're the network owner, you have to secure ALL openings.
Apple should maybe pay millions (Score:2)
This guy's work, and others like him, keeps our data secure. And for Apple, keeps them from becoming a bad press nightmare. They should be paying a lot more to keep the hackers on their team.
Very cheap. (Score:2)
Considering a single ransomware/sabotage/espionage incident could have cost them many many millions, this is suuuper inexpensive.
Re: (Score:1)
Re: (Score:2)
sure, it's all PR until you get hacked, then it's your irresponsibility.