Hackers Discover 55 Apple Vulnerabilities, Awarded Nearly $300,000 in Bounties [Updated]

A group of hackers has been awarded nearly $300,000 by Apple for discovering 55 vulnerabilities in the company's systems.

3

Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes spent three months hacking Apple platforms and services to discover a range of weaknesses. The 55 vulnerabilities the team discovered were of varying severity, with some being critical.

During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.

Apple apparently was swift to address the majority of the vulnerabilities, with some being resolved in as little as a few hours.

Overall, Apple was very responsive to our reports. The turn around for our more critical reports was only four hours between time of submission and time of remediation.

As part of Apple's Security Bounty Program, the group was able to receive considerable payments for some of their work. As of Sunday, October 4, they had received four payments totaling $51,500. This included $5,000 for disclosing the full name of iCloud users, $6,000 for finding IDOR vulnerabilities, $6,500 for access to internal corporate environments, and $34,000 for discovering system memory leaks containing customer data.

Since no-one really knew much about their bug bounty program, we were pretty much going into unchartered territory with such a large time investment. Apple has had an interesting history working with security researchers, but it appears that their vulnerability disclosure program is a massive step in the right direction to working with hackers in securing assets and allowing those interested to find and report vulnerabilities.

Apple has been actively investing in its bug bounty program since last year. Security researchers can now receive up to one million dollars per vulnerability depending on the nature and severity of the security flaw.

With the permission of Apple's security team, the group has published an extensive report which details a range of vulnerabilities and methods of locating and exploiting weaknesses. They also hinted that additional bounties may be on the way.

Update October 9: At the time of publication, the group reported that it had received $51,500 in bounties from Apple for four of the vulnerability reports it submitted. The group now says it has received 32 payments from Apple totaling $288,500.

Popular Stories

Apple One Apps Feature 2

Apple One's Best Plan Now Includes Two More Perks For Free

Monday March 10, 2025 6:40 am PDT by
Apple One allows you to subscribe to up to six Apple services for one discounted monthly price. There are three Apple One tiers: Individual, Family, and Premier. Over the last month, the highest-end ‌Apple One‌ Premier plan has gained two additional perks. Here is what Apple One Premier already included, for $37.95 per month:Apple Music Apple TV+ Apple Arcade Apple News+ Apple Fitness+...
iPhone 16 Pro vs iPhone 17 Air Feature

iPhone 17 Air and 17 Pro Max Allegedly Same Size Apart From Thickness

Friday March 7, 2025 2:45 am PST by
Apple's all-new ultra-thin iPhone 17 Air shares the same dimensions as the iPhone 17 Pro Max, with the only difference being in the thickness of the devices, according to the leaker Ice Universe. Posting to their Weibo account, the Chinese leaker today claimed that the iPhone 17 Air and iPhone 17 Pro Max have identical body length, width, screen size, and bezels. "The only difference is the...
2016 12 inch macbook feature

Apple Introduced Its Most Controversial MacBook 10 Years Ago Today

Sunday March 9, 2025 1:00 am PST by
Apple announced the infamous 12-inch Retina MacBook a decade ago today, an experimental new Mac that was as controversial as it was revolutionary. Apple unveiled the 12-inch MacBook on March 9, 2015, at the "Spring Forward" event in San Francisco, California. The event was primarily focused on the Apple Watch, which was being fully detailed ahead of its launch the following month, so the...
iPhone 17 Pro Render Front Page Tech

iPhone 17 Pro Launching Later This Year With These 8 New Features

Tuesday March 4, 2025 3:15 pm PST by
While the iPhone 17 Pro and iPhone 17 Pro Max are not expected to launch until September, there are already plenty of rumors about the devices. iPhone 17 Pro's alleged design via Front Page Tech Below, we recap key changes rumored for the iPhone 17 Pro models as of March 2025: Aluminum frame: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and iPhone...
Generic iOS 19 Feature Mock Light

iOS 19 Will Bring Biggest Design Overhaul Since iOS 7

Monday March 10, 2025 12:17 pm PDT by
Apple is planning for a major design overhaul of the iPhone, iPad, and Mac interfaces with the introduction of iOS 19, iPadOS 19, and macOS 16 later this year, reports Bloomberg. The update will "fundamentally change" the look of Apple's operating system, introducing a more consistent cross-platform experience. Apple plans to update the style of icons, menus, apps, windows, and system...
iphone 17 mockups idevicehelp

Video Shows iPhone 17 Mockups Based on 'Internal Documents'

Monday March 10, 2025 4:41 am PDT by
YouTuber iDeviceHelp on Friday posted a video that shows off mockups of Apple's forthcoming iPhone 17 models that are purportedly based on "internal documents." We're sharing the video here since it was made in collaboration with leaker Majin Bu, who last month published similar iPhone 17 renders that were widely corroborated by separate leakers with links to Apple's Chinese supply chain....
iphone 17 pro asherdipps

iPhone 17 Pro Max Said to Be Thicker to Accommodate Larger Battery

Friday March 7, 2025 2:47 am PST by
Apple has increased the thickness of the upcoming iPhone 17 Pro Max compared to the current generation iPhone 16 Pro Max, claims the Chinese leaker known as Ice Universe. Apple is said to have increased the depth of the iPhone 17 Pro Max to 8.725mm, up from 8.25mm on the iPhone 16 Pro Max, which would be a 0.475mm difference in thickness. The increase "surely means a larger battery,"...
Apple MacBook Air hero

New MacBook Air Quietly Fixes This Decades-Long Design Oversight

Friday March 7, 2025 6:58 am PST by
In a move that probably won't make headlines but should delight detail-oriented Mac users everywhere, Apple has quietly corrected a 26-year-old design inconsistency on its keyboards. The Mute key, a staple on Mac keyboards since the PowerBook G3 'Lombard' debuted in 1999, has finally received a logical redesign on the new MacBook Air with M4 chip. As spotted by iCulture, the key now displays ...
Apple Intelligence General Feature

Apple Delays Apple Intelligence Siri Features

Friday March 7, 2025 9:35 am PST by
Apple is delaying some of the Apple Intelligence Siri features that it expected to release in iOS 18, an Apple spokesperson said in a statement to Daring Fireball. Apple says that it is going to take longer than expected to roll out the more personalized Siri experience, and that these features will be rolled out "in the coming year.""Siri helps our users find what they need and get things...

Top Rated Comments

Expos of 1969 Avatar
58 months ago
That seems to be quite a low payment for finding 55 problems. Each guy made about $850/week.
Score: 35 Votes (Like | Disagree)
ksec Avatar
58 months ago
As part of Apple's Security Bounty Program ('https://www.macrumors.com/2019/12/20/apple-launches-public-bug-bounty-program/'), the group was able to receive considerable payments for some of their work. As of Sunday, October 4, they had received four payments totaling $51,500.
MacRumors just redefined the word "considerable" in Cooperate America.
Score: 21 Votes (Like | Disagree)
The Cappy Avatar
58 months ago
These kinds of headlines slay me. "Over $50,000" you say.

The correct amount was $51,500. It would have been both shorter and more accurate to type the correct number.You don't even have the excuse of vagueness being necessitated by the need for brevity, since you actually type the number in full. You just go out of your way to use incorrect numbers so that you later need to correct yourself. Oh well.
Score: 19 Votes (Like | Disagree)
adamdport Avatar
58 months ago
$50k split between 5 people over 3 months...that's the equivalent of $40k/yr for these guys. I guess it didn't say they were working 40 hours a week, or were full time on apple though.
Score: 19 Votes (Like | Disagree)
cmaier Avatar
58 months ago

I smell lawsuits coming.
Why? Unless someone can prove these vulnerabilities were used, what’s the harm?
Score: 17 Votes (Like | Disagree)
CrazyForCashews Avatar
58 months ago
I appreciate how quickly Apple paid them.

News like this will probably encourage other hackers to disclose any more vulnerabilities to Apple knowing that they'll be rewarded in a timely manner.
Score: 13 Votes (Like | Disagree)