Accessing Apple’s internal UAT Slackbot for fun and non-profit

In December 2020, Ashish Kunwar and I went on a hunting spree against multiple Apple targets. To begin with, as usual, we started by collecting all of their subdomains first.

One interesting target that we stumbled upon was

Tried exploiting for XSS, SQLi, and authentication vulnerabilities, but to no avail.

Then we thought of files and directory brute-forcing; maybe we missed something? A quick dirsearch lead us to https://uat-gsdcb.apple.com/INSTALL which in turn then redirected us to the following page upon allowing the bot to be installed:

https://uat-gsdcb.apple.com/oauth?code=1540913643671.1564171726854.0d5ecd2aab831447498227d1185fc376228752b769d8dd97f228919dad09b742&state=botkit

Upon successful installation, we encountered this page:-

Slackbot installed in our slack workspace

This would have permitted an adversary to essentially send any slack communication messages, make potential alterations in their SDLC process, or interrupt their CI/CD pipeline, possibly disclose some sensitive information.

At this point, after gathering enough evidence, we stopped testing and brought this to Apple’s attention

Apple’s usual automated reply

Now this was patched in less than two days, but as of today (October 6, 2021), we never received any hall of fame acknowledgment or bounty rewards despite of repeated follow-ups.

Date reported and triaged: Dec 13, 2020

Remediation timeline: Dec 15, 2020

Bounty awarded: $00

So, this was our terrible experience with Apple’s security program for the first vulnerability that we reported!!

Thanks for taking your time to read!

AppSec Guy