Fortunately, the company responded quickly and positively to the vulnerability disclosures.
Recently, a team of security researchers found 55 vulnerabilities on the network of the world’s most valuable electronic products retailer: Apple. Rated critical were 11 of the vulnerabilities.
The critical vulnerabilities would have allowed hackers to take over Apple’s core infrastructure, steal private emails, iCloud data, and other private information.
In iCloud, a cross-site scripting (XSS) vulnerability was found, where an attacker can access any browser cookies, session tokens or other sensitive information stored therein. Considering the number of users of iCloud, and how easily the vulnerability could spread, the potential damage would have been massive.
One expert’s viewpoint
One expert has commented that when a major brand is involved in such a severe oversight, there are lessons for everyone. Importantly, Apple was quick in responding to the reports from security researchers and addressing the concerns raised.
Said Synopsys Software Integrity Group’s Principal Security Strategist Tim Mackey: “Apple stated that it was also able to verify that the attack techniques used by the researchers did not appear in their logs prior to the research effort—an indication that detailed incident response logging is in place. The breadth of issues identified within the vast Apple online presence—ranging from unpatched VPNs to hardcoded fields in webforms—is more evident of how difficult it is to keep on top of all security issues as organizations grow—than a negative reflection of any security practices within Apple.”
Noting that the vulnerabilities were part of a paid bug bounty program, Mackey said this experience should serve as a template for all businesses: Software weaknesses are real. No single security tool or team is going to find all issues all the time. External teams, particularly researchers, can bring a level of creativity, perspective and zeal that can uncover issues that internal teams may be blind to. He advises: “Embrace the efforts of responsible security research and respond quickly when an issue is identified. Then look within your business for ways in which you could’ve identified the issue and improve your capabilities from there.”