Accessing Apple’s internal UAT Slackbot for fun and non-profit
In December 2020, Ashish Kunwar and I went on a hunting spree against multiple Apple targets. To begin with, as usual, we started by collecting all of their subdomains first.
One interesting target that we stumbled upon was
Tried exploiting for XSS, SQLi, and authentication vulnerabilities, but to no avail.
Then we thought of files and directory brute-forcing; maybe we missed something? A quick dirsearch lead us to https://uat-gsdcb.apple.com/INSTALL which in turn then redirected us to the following page upon allowing the bot to be installed:
Upon successful installation, we encountered this page:-
This would have permitted an adversary to essentially send any slack communication messages, make potential alterations in their SDLC process, or interrupt their CI/CD pipeline, possibly disclose some sensitive information.
At this point, after gathering enough evidence, we stopped testing and brought this to Apple’s attention
Now this was patched in less than two days, but as of today (October 6, 2021), we never received any hall of fame acknowledgment or bounty rewards despite of repeated follow-ups.
Date reported and triaged: Dec 13, 2020
Remediation timeline: Dec 15, 2020
Bounty awarded: $00
So, this was our terrible experience with Apple’s security program for the first vulnerability that we reported!!
Thanks for taking your time to read!