 |
| Apple's software and services contain 55 vulnerabilities |
A team of five security researchers analyzed several Apple software and online services between July and September.
The team discovered 55 vulnerabilities, including 11 high-risk, 29 high-risk, 13 medium-risk and 2 low-risk.
The team said: These vulnerabilities allow attackers to fully compromise customer and employee applications, and to unlock malware that can automatically compromise the victim's iCloud account.
It also helps pull source code from Apple's internal projects, break into industrial control warehouse software used by Apple, and control Apple employee meetings with access to classified management tools and resources. .
The downside is that an attacker can easily hijack a user's iCloud account, steal all photos, calendar information, videos, and documents, and forward the attack to all of the same contacts.
Among the researchers are Sam Carey, Brett Bowerhouse, Ben Sadeghibor, Samuel Earp and Tanner Barnes.
After the iPhone manufacturer officially reported these defects to Apple, it took steps to correct the defects within a short period of time.
To date, Apple has fixed about 28 vulnerabilities and paid a total of $ 288,500 as part of its vulnerability rewards program.
In the affected Apple domain (ade.apple.com), the default password was able to bypass authentication, allowing attackers to access the administrative console and execute code.
This caused a bug related to an app called DELMIA Apriso, which is a warehouse management solution that can be used to change shipping and inventory information, review employee IDs, and have complete control over the program.
A separate security breach was also found on Apple Books for Authors, which allowed authors to write and publish their books on the Apple Books system.
Another important risk that the researchers discovered is the one posed by the cross-site programming (XSS) vulnerability in the domain (www.icloud.com).
XSS vulnerabilities can be exposed simply by sending similar emails to any (iCloud.com) or (Mac.com) address stored in the victim's contacts.
In a blog post, the team said, "When we first started this project, we had no idea that we would spend more than three months completing it."
He added, "This was originally a side project that we did from time to time. We spent hundreds of hours on this project."