Accessing Apple’s internal UAT Slackbot for fun and non-profit

In December 2020, Ashish Kunwar and I went on a hunting spree against multiple Apple targets. To begin with, as usual, we started by collecting all of their subdomains first.

One interesting target that we stumbled upon was

Tried exploiting for XSS, SQLi, and authentication vulnerabilities, but to no avail.

Then we thought of files and directory brute-forcing; maybe we missed something? A quick dirsearch lead us to which in turn then redirected us to the following page upon allowing the bot to be installed:

Upon successful installation, we encountered this page:-

Slackbot installed in our slack workspace

This would have permitted an adversary to essentially send any slack communication messages, make potential alterations in their SDLC process, or interrupt their CI/CD pipeline, possibly disclose some sensitive information.

At this point, after gathering enough evidence, we stopped testing and brought this to Apple’s attention

Apple’s usual automated reply

Now this was patched in less than two days, but as of today (October 6, 2021), we never received any hall of fame acknowledgment or bounty rewards despite of repeated follow-ups.

Date reported and triaged: Dec 13, 2020

Remediation timeline: Dec 15, 2020

Bounty awarded: $00

So, this was our terrible experience with Apple’s security program for the first vulnerability that we reported!!

Thanks for taking your time to read!




AppSec Guy

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Understanding, learning and owning of a Blockchain machine

How to remove public IP from ec2 and route its all traffic through ALB(Application Load Balancer)

Integrated Security Systems: What Your Business Should Consider

How Nudges Can Be Used to Advance Consumer Digital Privacy

How To Get The Best Support From Your Cybersecurity Vendor

The value of secure communications

Algorithm to Calculate or Find Worth of the Website or Monthly Website Visitors

{UPDATE} Happy Home - Design & Decor Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shail Patel

Shail Patel

AppSec Guy

More from Medium

Unauthenticated Sensitive Information Disclosure | CVE-2021–38314

Gaining Unauthorized Camera Access via Safari UXSS — CVE-2021–30861, CVE-2021–30975

H1-CTF Hacky Holidays Writeup

How I Bypassed Incapsula WAF By Imperva