Recently, DropBox undertook a Pen Test to highlight potential vulnerabilities with Mac OS. Syndis, a Cyber Security firm was engaged by DropBox to perform this pen test. The entire process was reportedly spearheaded by Chris Evans, the Head of Security for DropBox. During the course of the test, the team of Ethical Hackers unveiled 3 Zero-Day vulnerabilities in Apple.
Need for Pen Test
DropBox, a cloud-based backup service provider was the most recent to conduct a pen test. As a matter of fact, this IT firm is burdened with the responsibility of safeguarding the data of its clients.
Evans has reportedly stated
“We know that we are targeted by adversaries that could develop and use zero-day exploits against us, and we need to protect ourselves accordingly”
With a multitude of ongoing security threats, a large number of IT companies are counting on pen tests conducted by Red Teams in order to boost their security and achieve higher standards.
This particular pen test conducted for DropBox involved detection of existing vulnerabilities and also discreet placement of malicious code within the DropBox environment.
The Findings
As a result of this Pen Test, Syndis uncovered three critical Zero-Day vulnerabilities in the Mac OS platform. These include CVE-2017-13890, CVE-2018-4176, CVE-2018-4175. The findings reportedly indicated towards the possibility of a cyber attack, if the hacker knew of these three vulnerabilities and exploited them together.
Chaining 3 zero-days allowed pen testers to hack Apple macOS computers
In other words, if a hacker designs malicious code and induces a DropBox employee to visit the same from a Safari Browser, the cyber attack could be successful.
DropBox duteously informed this to Apple, which in turn fixed these issues in less than a month, whereas, it is not uncommon for other IT Giants to take at least 90 days, which is the maximum timeframe given for an IT company to either release a patch, or to declare the shortcomings to the public, at large.