Security News > 2020 > October > Wormable Apple iCloud Bug Allows Automatic Photo Theft

Among the flaws found in core portions of Apple's infrastructure includes ones that would have allowed an attacker to: "Fully compromise both customer and employee applications; launch a worm capable of automatically taking over a victim's iCloud account; retrieve source code for internal Apple projects; fully compromise an industrial control warehouse software used by Apple; and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources," he wrote.

iCloud is an automatic storage mechanism for photos, videos, documents, and app related data for Apple products.

For its part, Apple responded quickly to the bug reports, fixing the majority of them by the time the post went live, with typical remediation upon learning of the flaws occurring within one to two business days, and response to some critical vulnerabilities within as little as four to six hours, he acknowledged.

"Overall, Apple was very responsive to our reports," Curry said, adding that, "As of now, October 8th, we have received 32 payments totaling $288,500 for various vulnerabilities." That number could go higher as Apple tends to pay in "Batches," so the hackers anticipate more payments in the coming months, he said.

Curry - who calls himself a full-time bug-bounty hunter - said he was inspired to assemble the team of hackers to peer under the hood of Apple's infrastructure after learning on Twitter of a researcher's award of $100,000 from Apple for discovering an authentication bypass that allowed for arbitrary access any Apple customer account.

News URL

https://threatpost.com/3-month-apple-hack-vulnerabilities-critical/159988/