Apple Hacked Again: These 2 Hackers Just Can't Stop Hacking Apple

Hackers discover security bug on Apple travel booking platform

SOPA Images/LightRocket via Getty Images

There is no such thing as 100% hack-proof security. Even tech companies known for building “better” security and privacy into their products (yes, I’m talking about Apple) know this. So the fact that an Apple platform was hacked isn’t that surprising in the grand scheme of things: the response from Apple’s security team was, however.

ForbesMysterious Apple ID password resets iPhone, iPad, and Mac usersBy Davey Winder

Who hacked Apple?

More often than not, you’ll find me saying that it’s too early in the investigation of the incident or that attribution isn’t that important when it comes to the hack of a tech giant like than Apple. On this occasion, however, I can tell you right now who did it: Harsh Jaiswal and Rahul Maini of HTTPVoid Research. The two security researchers already have some experience hacking Apple, having done so in 2021 by exploiting a zero-day vulnerability with the content management system used on the Apple platform. This feat earned the two bug bounty hunters a $50,000 reward from Apple. However, there is no mention of a bounty payment in the duo’s article on another project called Project Discovery about how they hacked Apple on May 8 in an article titled Hacking Apple – SQL Injection to Remote Code Execution.

How did these two security researchers hack Apple?

In February, researchers published a paper explaining how they had, once again, found a way to hack Apple. This exploit revolved around Lucee, an Adobe ColdFusion server that uses fewer resources and provides better performance. Specifically, the two men explored the source code of the MASA/Mura content management system used with Lucee. Then, the discovered vulnerabilities allowed them to execute code remotely “across multiple Apple servers.”

Fast forward to now, and researchers have explained how they spent more time exploring the source code of this CMS, motivated by the large potential attack surface it exposes. After just a week, they “came across multiple entry points to exploit,” including a critical SQL injection vulnerability that allowed them to hack the Apple Travel portal. Read the excellent analysis of the whole procedure on the Project Discovery site if you want to know all the technical details of how it happened. Suffice it to say, they were able to reset an admin user’s password for the Apple platform via a SQL injection attack and then use that password reset endpoint with exfiltrated information.

Hackers managed to access an Apple administrator account

Apple/Davey winder

Apple patched the vulnerability within 2 hours of it being reported

Because these are the kind of hackers we need to be looking for things like this, they quickly submitted a report to Apple along with a proof-of-concept demo showing them logging into an Apple administrator account . “Our exploration of the Masa/Mura CMS has been an enriching journey,” Jaiswal and Maini said, “revealing critical vulnerabilities.” Apple and Mura CMS responded just as quickly to implement a fix. In Apple’s case, it took less than 2 hours after submitting the vulnerability report. “As always, working with Apple has been a good collaboration,” the researchers concluded. Masa CMS, an open source fork of Mura CMS, also responded quickly and transparently, releasing a new version of the code. The researchers report that “despite numerous attempts to contact,” they were unable to get a response from the Mura CMS team and waited the required 90 days before releasing these details. I have contacted Apple and Mura CMS and will report back any statements if provided.

ForbesDropbox warns hackers who accessed customer passwords and 2FA dataBy Davey Winder