Security Research. PHOTO:

Hacker Cashes In On Apple’s Security Bounty Program

22-year-old Sam Curry makes money doing what he loves 

David Braue

Melbourne, Australia – Feb. 25, 2021

Every hacker has a different story to tell about how they got into the hobby, and Sam Curry readily admits that his first taste of hacking was all about money — the virtual kind.

Working with a group of friends, Curry began poking and prodding an online video game to see if its internal currency system could be manipulated — and soon figured out how to give each other “infinite currency.”

It was the beginning of a long-running romance that has proved increasingly fruitful for Curry, who began deep-diving into web application security and soon joined the HackerOne community on the recommendation of a friend.

Five years later, Curry is a full-time web application security researcher and bug hunter, participating in bug-bounty programs that have so far netted him and his four teammates over $500,000 in compensation — including a $50,000 payout from Apple.

It’s not infinite currency, but it’s great money for doing something Curry loves — and he predicts that the total takings could pass $750,000 by year’s end.

“We’re continuing to work on them right now,” he told Cybercrime Magazine. “It has been pretty much like a rolling bug bounty, trying to do as much as possible.”

A significant part of the appeal of bug-bounty programs is the multiplier effect — the ability to rapidly scale the programs to any level, as new hackers come onboard and complement the existing efforts of their colleagues.

It’s a big change from conventional pen-testing and security audits, Curry said, in which a small team of people might spend a week probing a network and then deliver a static report with their findings.

Bug-bounty programs’ ongoing nature is making them a popular tool in the cybersecurity defences of companies that recognize the importance of discovering “anything that invalidates the CIA triad [confidentiality, integrity, availability],” Curry explained, “or has some customer impact.”

“Pretty much anything a company is going to care about, they’d like to know about — and they’ll pay for it.”

Cybercrime Radio: It Pays To Hack

Sam Curry,  Bug Bounty Hunter

Cybercrime Radio

Apple for the teacher

As it turns out, one of the companies willing to pay the most to learn those things is Apple — which opened its Apple Security Bounty program to the public late in 2019 “as part of Apple’s commitment to security… we reward researchers who share with us critical issues and the techniques used to exploit them.”

Curry began hammering the Apple code base alone but soon enlisted the support of several like-minded hackers he had collaborated with — virtually — on previous challenges for other companies.

During a bug-finding blitz between July and October last year, Curry said, he and his team — working together over a group chat — identified 11 critical bugs, 20 or 30 high severity bugs, and more than 30 low or medium severity submissions.

Among the “multitude” of bugs they identified were techniques to get code execution on Apple’s Apple Books for Authors and education community servers, potentially bypassing authentication and providing arbitrary code execution to Apple’s network and user data; to extract user details that were supposed to be carefully secured; and to exploit “technical server side vulnerabilities” like SQL injection and server-side request forgery.

The team-based nature of bug-hunting has, Curry said, brought a certain veritas to the oft-cited bon mot of Casey Ellis, the Australian founder of pioneering bug-bounty firm Bugcrowd — who is known for saying “every bug is a startup, and every bounty hunter is an entrepreneur.”

That statement initially came off as “the most sales-y thing I’d ever heard,” Curry laughed, but over time he’s realized it carries a strong hint of truth.

When lodging a security vulnerability to a bug-bounty program, he said, “You have to go out and find a vulnerability, and report it, and pitch and sell it — and they pay for it based on that pitch.”

Dedicated to a common cause

Yet the bug-bounty process has been more than a one-way submission process: over time, the ongoing stream of submissions attracted the attention of “enthusiastic” Apple engineers who met the team over a video call.

“Over time, we started to have conversations with them about it,” Curry said. “They were very excited about the findings and care about customer data.”

This excitement — and a common sense of purpose by both the hackers and the hacked — is what motivates bug finders like Curry to keep going.

And while many people assume bug finders are “the most technical people of all time… and super into technology,” he said, “a lot of these people are just people who saw opportunities there, and say ‘oh, I can make money doing this’ and just do it.”

With an almost infinite array of potential bugs to find, Curry has stayed keen on bug hunting — motivating him to explore other software for vulnerabilities that affect a broader range of companies.

“I spend a lot of time trying to find zero-day vulnerabilities and larger-use software,” he said, “and we found a pre-auth remote code execution vulnerability, which I’m really excited about.”

“I’m definitely going to spend more time in security,” he added. “I really do enjoy it — and although I’m not quite sure what to do, I think it’ll pan out.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.