"Collected feedback and disappeared": how Apple left a Russian hacker without reward for transferring data about leaks to the company

- In general, how did you come to these hacker resources, where Apple's prototypes and developments were laid out? 

Back in school, I was interested in a post about unlocking locked smartphones on one of the forums.

Aside from the prospect of rewards, publicity, and so on, there was something so special about taking possession of something inside.

After that, the circle of acquaintances expanded, and more data fell into the hands.

- Have you been in contact with Apple for more than three years and have never been paid a "fee"?

As far as I know, the same Facebook pretty quickly responds to reports of vulnerabilities and rewards those who find them.

- The same product security team (security in relation to the product. -

RT

) has one fairly well-known nuance of work: you find a vulnerability, send a report, expecting that it will fall under the bug bounty program (program for catching bugs. -

RT

), but in the end you don't get an answer, and the vulnerability is quietly closed with a patch.

In 2017, a Moroccan contacted me and asked to help set up an internal VPN on his employee account

.

It turned out that he had a lot of these accounts, and all were obtained by phishing (he sent e-mails and sms that imitated something from Apple, went to the AppleWeb portal, which has a widget with a directory of employees, and took from there new addresses and numbers).

• Reuters

• © Andrew Kelly

I reported it, Thomas Moyer (Apple's Chief Security Officer -

RT

.)

Contacted me

and gave

me a

small team.

They collected feedback and essentially disappeared.

Later, they quietly made two-factor authentication mandatory for all accounts, tightened the procedure for adding devices to an account and demolished some retail systems, in which holes were also found in the process.

- The main plums occur in China, right?

But they write on the net that the factories where Apple devices are made have rather strict security control, it turns out that this is not so?

- The main flow is from China, because despite the tight control, there are always “acquaintances” who help the interested parties.

In fact, corruption is to some extent, which comes to the management of individual assembly / storage objects.

- You voluntarily became a spy for Apple, how did you feel when you gave them information about the next leak and how do you think they treated you over time?

- I renewed my relationship with the security department in 2020 on my own initiative.

I was no longer satisfied with the fact that to some extent I was still financially dependent on my "hobby".

The plan was simple enough: lay out all the cards, help patch up the holes, and get a ticket to a more comfortable existence.

At the end of the communication with the provided team of two, the relationship suffered too much.

I was not happy that they never gave clear answers, referring to COVID-19 and the fact that "since I am a non-standard situation outside the established protocols, it is necessary to convene a meeting of those who have executive powers to discuss the issue."

- Do you really think that because of your message, the employee in Germany who worked on Google maps could be fired?

- Apple Maps, and yes.

The man wanted to take advantage of the position and corporate access to earn some money.

I acted first as a stakeholder, then as a “friend” who would help find buyers.

As far as I remember, his case was closed less than a week after my report, and with dismissal.

Since he did not know what exactly he was caught on, and did not know that I did it, we continued to communicate, so I received feedback from both the security service and from him.