Apple ignored reports of three big security problems in iOS 15, researcher says
A security researcher claims that Apple snubbed them on a zero-day flaw they reported, and that the company has yet to fix three other zero-day vulnerabilities that are now present in iOS 15.
-xl.jpg)
Credit: Andrew O'Hara, AppleInsider
In a blog post on Friday, security researcher illusionofchaos wrote about their "frustrating experiencing participating in the Apple Security Bounty program." The program is meant to offer payments to independent researchers for finding flaws in Apple's systems.
The researcher says they submitted four zero-day vulnerabilities to Apple between March 10 and May 4. One of those vulnerabilities was patched in iOS 14.7, but the researcher said Apple "decided to cover it up and not list it on the security content page."
"When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update," illusionofchaos wrote. "There were three releases since then and they broke their promise each time."
Additionally, three of the other security flaws are still present in the released version of iOS 15. The researcher said Apple has ignored disclosure of the iOS flaws.
"Ten days ago I asked for an explanation and warned then that I would make my research public if I don't receive an explanation," illusionofchaos said. "My request was ignored so I'm doing what I said I would. My actions are in accordance with responsible disclosure guidelines."
The three vulnerabilities include a flaw that allows apps downloaded from the iOS App Store to read data like Apple ID credentials and information about a user's contacts. Another flaw allows any app to check whether any other app is installed on a device, while the third allows apps with location services permissions to gain access to Wi-Fi information.
This is not the first time a security researcher has voiced concerns about Apple's Security Bounty program. Earlier in September, a report collected a slew of complaints about the initiative, including researchers calling out poor communication, payment confusion, and other issues.
Apple first overhauled its bounty program in 2019, opening it to any security researcher and increasing payouts. Since then, Apple has called the program a "runaway success."
The same report collecting researcher complaints also indicated that Apple has hired a new executive to oversee and reform its bug bounty program.
Read on AppleInsider
Credit: Andrew O'Hara, AppleInsider
In a blog post on Friday, security researcher illusionofchaos wrote about their "frustrating experiencing participating in the Apple Security Bounty program." The program is meant to offer payments to independent researchers for finding flaws in Apple's systems.
The researcher says they submitted four zero-day vulnerabilities to Apple between March 10 and May 4. One of those vulnerabilities was patched in iOS 14.7, but the researcher said Apple "decided to cover it up and not list it on the security content page."
"When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update," illusionofchaos wrote. "There were three releases since then and they broke their promise each time."
Additionally, three of the other security flaws are still present in the released version of iOS 15. The researcher said Apple has ignored disclosure of the iOS flaws.
"Ten days ago I asked for an explanation and warned then that I would make my research public if I don't receive an explanation," illusionofchaos said. "My request was ignored so I'm doing what I said I would. My actions are in accordance with responsible disclosure guidelines."
The three vulnerabilities include a flaw that allows apps downloaded from the iOS App Store to read data like Apple ID credentials and information about a user's contacts. Another flaw allows any app to check whether any other app is installed on a device, while the third allows apps with location services permissions to gain access to Wi-Fi information.
This is not the first time a security researcher has voiced concerns about Apple's Security Bounty program. Earlier in September, a report collected a slew of complaints about the initiative, including researchers calling out poor communication, payment confusion, and other issues.
Apple first overhauled its bounty program in 2019, opening it to any security researcher and increasing payouts. Since then, Apple has called the program a "runaway success."
The same report collecting researcher complaints also indicated that Apple has hired a new executive to oversee and reform its bug bounty program.
Read on AppleInsider
Comments
Apple will surely put that on Corona and difficulties to coordinate, but still, this is really not good as any developer that also new about this exploit could have used it.
Looking forward to reading the excuse from Apple.
When do you think Apple will release a new iOS software update?
but based on that description, this is not a bug, but by design. There are APIs that allow you to get WiFi information, and because, through triangulation, that WiFi I formation could be used to deduce location pretty accurately in many cases, Apple requires location services permission be granted to use the WiFi info APIs. The app I work on needs WiFi I formation (vertical market app — not consumer app) and we’ve had to deal with this and have gone back and forth with Apple on the requirements for this. We have to ask for location services permission but we don’t actually need the persons location.
I’m not only an iOS developer, I’m also a mobile pentester with GIAC certification from my SEC575 sans.org course: I tried to use exploit to show info about the IMSI info (xpc service mmcs.plist) but did not manage it.
So no, I’m not alarmist, I just tried the code myself instead of just reading the info.
No, this guy’s claims does not somehow infer Apple doesn’t know what it’s doing but you do. lol