Apple ignored reports of three big security problems in iOS 15, researcher says

Posted:
in iOS edited September 24
A security researcher claims that Apple snubbed them on a zero-day flaw they reported, and that the company has yet to fix three other zero-day vulnerabilities that are now present in iOS 15.

Credit: Andrew O'Hara, AppleInsider
Credit: Andrew O'Hara, AppleInsider


In a blog post on Friday, security researcher illusionofchaos wrote about their "frustrating experiencing participating in the Apple Security Bounty program." The program is meant to offer payments to independent researchers for finding flaws in Apple's systems.

The researcher says they submitted four zero-day vulnerabilities to Apple between March 10 and May 4. One of those vulnerabilities was patched in iOS 14.7, but the researcher said Apple "decided to cover it up and not list it on the security content page."

"When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update," illusionofchaos wrote. "There were three releases since then and they broke their promise each time."

Additionally, three of the other security flaws are still present in the released version of iOS 15. The researcher said Apple has ignored disclosure of the iOS flaws.

"Ten days ago I asked for an explanation and warned then that I would make my research public if I don't receive an explanation," illusionofchaos said. "My request was ignored so I'm doing what I said I would. My actions are in accordance with responsible disclosure guidelines."

The three vulnerabilities include a flaw that allows apps downloaded from the iOS App Store to read data like Apple ID credentials and information about a user's contacts. Another flaw allows any app to check whether any other app is installed on a device, while the third allows apps with location services permissions to gain access to Wi-Fi information.

This is not the first time a security researcher has voiced concerns about Apple's Security Bounty program. Earlier in September, a report collected a slew of complaints about the initiative, including researchers calling out poor communication, payment confusion, and other issues.

Apple first overhauled its bounty program in 2019, opening it to any security researcher and increasing payouts. Since then, Apple has called the program a "runaway success."

The same report collecting researcher complaints also indicated that Apple has hired a new executive to oversee and reform its bug bounty program.

Read on AppleInsider

Comments

  • Reply 1 of 15
    What a huge mistake from Apple! With the Game Center exploit I manage to retrieve all contacts from the address book! Even after I deployed a profile disabling Game Center! This is not good at all.
    Apple will surely put that on Corona and difficulties to coordinate, but still, this is really not good as any developer that also new about this exploit could have used it.
    Looking forward to reading the excuse from Apple.
    When do you think Apple will release a new iOS software update?
    centaur
  • Reply 2 of 15
    elijahgelijahg Posts: 2,487member
    This is why software should be released when it's ready, not on a fixed yearly schedule. Quite regularly promised features get pushed back to the next update.
    jeffharriscentaurbyronl
  • Reply 3 of 15
    wood1208wood1208 Posts: 2,580member
    No biggy. It's software bug so will be fixed in dot release.
    watto_cobra
  • Reply 4 of 15
    chadbagchadbag Posts: 1,519member
    I have not looked at the actual details of the third one, and am working just from the description here

    while the third allows apps with location services permissions to gain access to Wi-Fi information.


    but based on that description, this is not a bug, but by design.  There are APIs that allow you to get WiFi information, and because, through triangulation, that WiFi I formation could be used to deduce location pretty accurately in many cases, Apple requires location services permission be granted to use the WiFi info APIs.  The app I work on needs WiFi I formation (vertical market app — not consumer app) and we’ve had to deal with this and have gone back and forth with Apple on the requirements for this.  We have to ask for location services permission but we don’t actually need the persons location.  
    appleinsideruserwatto_cobra
  • Reply 5 of 15
    I wonder if Apple did not fix the issues because its own software relied on the feature in some way? I have reported privacy security issues in the past and had them roundly ignored, sometimes for years. For example: No app should be able to access your contact list. Why? Because those contacts have not given permission to have their name, email and address sent to some random app developer. It's their personal information the app is requesting, not yours. Apple has many blind spots like this in their personal information security.
    edited September 24 elijahgbyronl
  • Reply 6 of 15
    elijahgelijahg Posts: 2,487member
    chadbag said:
    I have not looked at the actual details of the third one, and am working just from the description here

    while the third allows apps with location services permissions to gain access to Wi-Fi information.


    but based on that description, this is not a bug, but by design.  There are APIs that allow you to get WiFi information, and because, through triangulation, that WiFi I formation could be used to deduce location pretty accurately in many cases, Apple requires location services permission be granted to use the WiFi info APIs.  The app I work on needs WiFi I formation (vertical market app — not consumer app) and we’ve had to deal with this and have gone back and forth with Apple on the requirements for this.  We have to ask for location services permission but we don’t actually need the persons location.  
    IMO there needs to be an extra permission for apps to fetch detailed WiFi data. I use my phone to monitor WiFi signals in networking installations I've done, but the data is extremely limited to what's available on Android. In fact almost all the data comes from the app querying the APs themselves. The same app on Android is 10x more powerful. 
  • Reply 7 of 15
    wood1208 said:
    No biggy. It's software bug so will be fixed in dot release.
    You don’t seem to grasp the depth of this exploit. Any app could have been downloading everyone’s contacts. It is one of the worst exploit I’ve ever heard of. There is no way to get rid of it. Oh yeah: switch off your phone!

    elijahg
  • Reply 8 of 15
    lkrupplkrupp Posts: 9,627member
    iOSDevSWE said:
    wood1208 said:
    No biggy. It's software bug so will be fixed in dot release.
    You don’t seem to grasp the depth of this exploit. Any app could have been downloading everyone’s contacts. It is one of the worst exploit I’ve ever heard of. There is no way to get rid of it. Oh yeah: switch off your phone!

    Bullshit. Give us your real name and security expert credentials and then maybe we’ll pay attention. Otherwise you are just an anonymous tech blog chicken little. How many times have we had to endure predictions of doom by a user claiming to have 30 years experience in IT and a literal God of the internet, only to find out those predictions were baloney?
    edited September 24 StrangeDayswatto_cobra
  • Reply 9 of 15
    dewmedewme Posts: 3,934member
    elijahg said:
    This is why software should be released when it's ready, not on a fixed yearly schedule. Quite regularly promised features get pushed back to the next update.

    Agreed, and this is essentially what Apple has been doing for the past couple of years, at least. They have been making point releases throughout the year, sending new version and even point release builds through many more beta cycles than they've ever done in the past, and deferring features that don't make the self imposed general release dates. Heck, the beta cycles never really stop coming out once you're on a development profile. This is all under the umbrella of DevOps, continuous integration, and continuous delivery, which is all fine and good as long as you can afford to continuously and rigorously test the flurry of builds and releases. To make it work you have to have a robust suite of test automation and have all developers taking on more responsibility for testing, at least at the unit level. The test investment part is non-negotiable. If you're not doing continuous testing along with your continuous integration, you're going to be totally screwed at some point, it's just a matter of time. 

    I guess you could question why Apple or any ISV even bothers to have self imposed release dates anymore. At least from my experience, some customers are quite intolerant to changes in their systems and need to essentially "lock down" their configurations for longer periods of time than what a lot of individual consumers would do. They also need to plan for changes based on the "promised" set of new features and come up with migration plans to move to new versions ahead of time. In some cases the also do their own independent verification & validation of new components of their systems. I don't know how many Apple customers fall into this realm, but I know a number of Windows and Linux customers who need this level of stability. Does Apple even have a notion of letting users know up-front how long a version of macOS or iOS/iPadOS will be supported, like some versions of Linux do with LTS designations or Windows scheduled support plans for each of their OS versions?  

    The claims being made by these bounty hunters appear to be quite serious. To truly understand how serious they are we really need to hear Apple's side of the story too. One of the reasons that social media is destroying human society is that we get blasted with a constant stream of one side of every story imaginable. The public is then left to act as judge, jury, and executioner without the other side of the story being presented on even terms. On the other hand, the increasing frequency and volume of social media unrest and blog-spew means that we quickly shift our attention to the next big sh**fest in very short order, so last week's falling skies fade into today's noise.
    muthuk_vanalingamStrangeDaysPascalxx
  • Reply 10 of 15
    cpsrocpsro Posts: 2,928member
    iOSDevSWE said:
    wood1208 said:
    No biggy. It's software bug so will be fixed in dot release.
    You don’t seem to grasp the depth of this exploit. Any app could have been downloading everyone’s contacts. It is one of the worst exploit I’ve ever heard of.
    That's not what "illusionofchaos" is said to have reported. "information about a user's contacts" is rather nondescript but it could mean merely the number of contacts is accessible--metadata only. It clearly suggests the actual contact data aren't accessible.
    edited September 24 watto_cobra
  • Reply 11 of 15
    lkrupp said:
    iOSDevSWE said:
    wood1208 said:
    No biggy. It's software bug so will be fixed in dot release.
    You don’t seem to grasp the depth of this exploit. Any app could have been downloading everyone’s contacts. It is one of the worst exploit I’ve ever heard of. There is no way to get rid of it. Oh yeah: switch off your phone!

    Bullshit. Give us your real name and security expert credentials and then maybe we’ll pay attention. Otherwise you are just an anonymous tech blog chicken little. How many times have we had to endure predictions of doom by a user claiming to have 30 years experience in IT and a literal God of the internet, only to find out those predictions were baloney?
    Haha, your comment proves you are not a developer. You don’t need any of my credentials, you can try it yourself! Just do like me: you go to GitHub we’re the code is: https://github.com/illusionofchaos/ios-gamed-0day then install it on your iPhone. You are not a developer but you can install it on your phone by first downloading Xcode on your Mac (free). Then register an AppleID (free). As a non developer you are authorized to install max 3 apps which is enough here. When Xcode is installed open up the .xcodeproj file you downloaded from GitHub. Change in “Signing” to your “appleID”. After that can you try the app! You will see just like me several rows (a List since the dev wrote the code in SwiftUI). The first one links you to all your Contacts, interactions with them with many details. After that the row supposed to display “speedDial” fails so I can’t see any phone calls, instead comes a line pointing to pictures from your contacts. Later on details about your Game Center ID (AppleID, Full name and surname).
    I’m not only an iOS developer, I’m also a mobile pentester with GIAC certification from my SEC575 sans.org course: I tried to use exploit to show info about the IMSI info (xpc service mmcs.plist) but did not manage it.
    So no, I’m not alarmist, I just tried the code myself instead of just reading the info. 
    elijahgmacplusplusMplsP
  • Reply 12 of 15
    cpsro said:
    iOSDevSWE said:
    wood1208 said:
    No biggy. It's software bug so will be fixed in dot release.
    You don’t seem to grasp the depth of this exploit. Any app could have been downloading everyone’s contacts. It is one of the worst exploit I’ve ever heard of.
    That's not what "illusionofchaos" is said to have reported. "information about a user's contacts" is rather nondescript but it could mean merely the number of contacts is accessible--metadata only. It clearly suggests the actual contact data aren't accessible.
    As explained in a response above, instead of just trying to understand what is happening download the code and run it on your iPhone yourself! I don’t need you to believe me, you can verify it yourself! If I could post a screening somewhere I could show you that you get ALL the details about the contacts, even things like when you interacted with your contacts (from the com.apple.interactionC.plist service! It’s really scary. Maybe someone from AppleInsider wants to get screenshots, just ask me 😉
  • Reply 13 of 15
    elijahg said:
    This is why software should be released when it's ready, not on a fixed yearly schedule. Quite regularly promised features get pushed back to the next update.
    They’re already doing that - they bo longer deliver all features in xx.0, and instead bump things to point releases. 

    No, this guy’s claims does not somehow infer Apple doesn’t know what it’s doing but you do. lol
    watto_cobra
  • Reply 14 of 15
    I love how these guys always assume it’s some sort of conspiracy Apple is waging against a random no-name researcher, despite the fact that apple is running a program explicitly to flush these bugs out. if it’s true they didn’t address his reports, I’d bet it’s human failure rather than some ill wish. 
    iOSDevSWEwatto_cobra
  • Reply 15 of 15
    mcdavemcdave Posts: 1,826member
    Black hats dressed as white hats.
    watto_cobra
Sign In or Register to comment.