Apple patched an iOS lock screen bypass without crediting its discovery

Posted:
in iOS edited October 2021
Apple fixed a recently unearthed lock screen bypass with the release of iOS 15.0.1, but failed to publicly recognize the weakness or the person who discovered it.

iOS Lock Screen Bypass


In September, researcher Jose Rodriguez detailed an iOS vulnerability that enables attackers to bypass a secured iPhone lock screen and access notes through a combination of VoiceOver and common sharing tools.

Rodriguez published a proof of concept on his YouTube channel on Sept. 20, illustrating methods by which a user's notes can be copied and sent to another device. The researcher did not disclose the vulnerability to Apple prior to going public, saying at the time that he was "giving away" the exploit in hopes of shedding light on problems related to the tech giant's Bug Bounty Program.

As noted by Rodriguez in a Twitter post on Friday, Apple's iOS 15.0.1 release contains a fix for the lock screen bypass. Accompanying release notes show that Apple did not assign a CVE designation or provide credit to the researcher for discovering the flaw. The company pulled a similar move last month when it quietly fixed a macOS Finder bug.

A report last week saw researchers criticize Apple's Bug Bounty Program for a general lack of communication and issues with payouts for discovered vulnerabilities. Those sentiments were recently echoed by security researchers Denis Tokarev, Bobby Rauch and Rodriguez, all of whom discovered and reported bugs to Apple.

The tech giant's head of security engineering, Ivan Krstic, in an interview last month called the program a "runaway success," adding that Apple is gathering feedback as it continues to "scale and improve" the initiative. Apple works hard to address mistakes and "learn from them to rapidly improve the program," he said at the time.

Recent reports indicate that Apple hired a new team lead to reform the Bug Bounty Program.

Read on AppleInsider

Comments

  • Reply 1 of 12
    elijahgelijahg Posts: 2,586member
    Well that confirms at least one of the problems with Apple's bug bounty program: Apple Sherlocked an exploit. Whowouldathunkit?
    edited October 2021 lkruppdarkvader
  • Reply 2 of 12
    The sky really is falling.
  • Reply 3 of 12
    So what if it was reported earlier by some else as a bug or vulnerability?

     "The researcher did not disclose the vulnerability to Apple prior to going public, saying at the time that he was "giving away" the exploit in hopes of shedding light on problems related to the tech giant's Bug Bounty Program." 

    My reading of this: he tried to report, but was not the first and therefore could not claim the bounty. Not every "researcher" is running their own YouTube channel. Most will be working for companies which do not allow their staff to run to the media to claim publicity.

    Even if he was the first to discover, the problem for Rodriguez was that the moment he placed it on Youtube, he lost any IP rights. The video itself is copyrighted but the knowledge inside is now made public. Everyone can use it without needing to credit and this includes Apple.
    scstrrfhucom2000applguyravnorodomMplsPlkruppmacplusplusmuthuk_vanalingam
  • Reply 4 of 12
    citpekscitpeks Posts: 185member
    Correct me if I'm wrong, I haven't been following this closely, but from what has been written here, this is how I read it:

    1) Researcher discovers (another) bug, but as a means of protest and to draw attention, opts not to report new bug to Apple through the proper channels, and exposes it in a YouTube video instead.  The "gives away" part, whether a direct quote or not, suggests researcher is wiling to forego the compensation, if not the credit, for the new discovery.

    2) Apple fixes bug, without acknowledgement, or compensation.

    3) Researcher now bemoaning the lack of credit/compensation, for a bug that wasn't reported, or formally submitted through established channels, just YouTube.

    4) This is a researcher who has gone through the procedure before, and has been acknowledged, and compensated by Apple for that discovery, of another lock screen bug.  He may have his issues with the system, but he cannot claim to not know how it works.

    This, of course, doesn't preclude the possibility that Apple may have discovered the bug on its own, treated it as an internal patch, however unlikely that might be.  There's also the possibility that is was indirectly mitigated as a side effect from patches made for other purposes.  I'm not aware of the expected disclosure requirements of bugs found internally, or how closely they are enforced, but CVEs apply to publicly known vulnerabilities.  Does a YouTube video formally qualify?

    All I know is that ignoring, and making it a point to flout the system, however messed up you may think it is, might not be the best way to achieve the desired outcome, or effect change.

    Such tactics are cheap, and pander to the lowest common denominator, and/or those incapable of applying critical thinking.
    hucom2000MplsPmike1macplusplusgenovellemuthuk_vanalingam
  • Reply 5 of 12
    I mean these kinds of bugs are embarrassing. Not surprising that Apple or any other company doesn’t want to draw attention to them.

    Also, if this one wasn’t reported thorough the proper channels, why would anyone expect to be given credit anyways? 
    hucom2000williamlondon
  • Reply 6 of 12
    MplsPMplsP Posts: 3,606member
    citpeks said:
    Correct me if I'm wrong, I haven't been following this closely, but from what has been written here, this is how I read it:

    1) Researcher discovers (another) bug, but as a means  free of protest and to draw attention, opts not to report new bug to Apple through the proper channels, and exposes it in a YouTube video instead.  The "gives away" part, whether a direct quote or not, suggests researcher is wiling to forego the compensation, if not the credit, for the new discovery.

    2) Apple fixes bug, without acknowledgement, or compensation.

    3) Researcher now bemoaning the lack of credit/compensation, for a bug that wasn't reported, or formally submitted through established channels, just YouTube.

    4) This is a researcher who has gone through the procedure before, and has been acknowledged, and compensated by Apple for that discovery, of another lock screen bug.  He may have his issues with the system, but he cannot claim to not know how it works.

    This, of course, doesn't preclude the possibility that Apple may have discovered the bug on its own, treated it as an internal patch, however unlikely that might be.  There's also the possibility that is was indirectly mitigated as a side effect from patches made for other purposes.  I'm not aware of the expected disclosure requirements of bugs found internally, or how closely they are enforced, but CVEs apply to publicly known vulnerabilities.  Does a YouTube video formally qualify?

    All I know is that ignoring, and making it a point to flout the system, however messed up you may think it is, might not be the best way to achieve the desired outcome, or effect change.

    Such tactics are cheap, and pander to the lowest common denominator, and/or those incapable of applying critical thinking.
    That was my thought exactly. There are plenty of reports of issues with Apple’s bug bounty program but this doesn’t seem to be one of them. It seems that the story is criticizing Apple For not following protocol when the researcher started off not following protocol. 
    lkruppmike1muthuk_vanalingam
  • Reply 7 of 12
    lkrupplkrupp Posts: 9,988member
    As the article says, the researcher did not report the bug to Apple but published the exploit on social media. Now he wants recognition and compensation? Fuck him.
    mike112Strangerswilliamlondonmacplusplusgenovelle
  • Reply 8 of 12
    mike1mike1 Posts: 2,948member
    citpeks said:
    Correct me if I'm wrong, I haven't been following this closely, but from what has been written here, this is how I read it:

    1) Researcher discovers (another) bug, but as a means of protest and to draw attention, opts not to report new bug to Apple through the proper channels, and exposes it in a YouTube video instead.  The "gives away" part, whether a direct quote or not, suggests researcher is wiling to forego the compensation, if not the credit, for the new discovery.

    2) Apple fixes bug, without acknowledgement, or compensation.

    3) Researcher now bemoaning the lack of credit/compensation, for a bug that wasn't reported, or formally submitted through established channels, just YouTube.

    4) This is a researcher who has gone through the procedure before, and has been acknowledged, and compensated by Apple for that discovery, of another lock screen bug.  He may have his issues with the system, but he cannot claim to not know how it works.

    This, of course, doesn't preclude the possibility that Apple may have discovered the bug on its own, treated it as an internal patch, however unlikely that might be.  There's also the possibility that is was indirectly mitigated as a side effect from patches made for other purposes.  I'm not aware of the expected disclosure requirements of bugs found internally, or how closely they are enforced, but CVEs apply to publicly known vulnerabilities.  Does a YouTube video formally qualify?

    All I know is that ignoring, and making it a point to flout the system, however messed up you may think it is, might not be the best way to achieve the desired outcome, or effect change.

    Such tactics are cheap, and pander to the lowest common denominator, and/or those incapable of applying critical thinking.

    That about sums it up.
  • Reply 9 of 12
    lkrupp said:
    As the article says, the researcher did not report the bug to Apple but published the exploit on social media. Now he wants recognition and compensation? Fuck him.
    It looks like just about everyone who has commented so far has the same opinion about this guy. However, the article  doesn’t state that he was looking for either compensation or credit. Maybe he didn’t do through the Bug Bounty Program because he didn’t want to be disappointed. Maybe he was just trying to be a “Good Samaritan “ and not expecting credit. 
    williamlondon
  • Reply 10 of 12
    MplsPMplsP Posts: 3,606member
    lkrupp said:
    As the article says, the researcher did not report the bug to Apple but published the exploit on social media. Now he wants recognition and compensation? Fuck him.
    It looks like just about everyone who has commented so far has the same opinion about this guy. However, the article  doesn’t state that he was looking for either compensation or credit. Maybe he didn’t do through the Bug Bounty Program because he didn’t want to be disappointed. Maybe he was just trying to be a “Good Samaritan “ and not expecting credit. 
    Then why write an article highlighting the fact that Apple failed to give him credit?
    williamlondon
  • Reply 11 of 12
    citpekscitpeks Posts: 185member
    lkrupp said:
    As the article says, the researcher did not report the bug to Apple but published the exploit on social media. Now he wants recognition and compensation? Fuck him.
    It looks like just about everyone who has commented so far has the same opinion about this guy. However, the article  doesn’t state that he was looking for either compensation or credit. Maybe he didn’t do through the Bug Bounty Program because he didn’t want to be disappointed. Maybe he was just trying to be a “Good Samaritan “ and not expecting credit. 
    That's a fair point.

    But it's difficult to accept that a reputable "security researcher," who has been through the process, and should be familiar with the protocol surrounding things such as responsible disclosure, discovers a bug, doesn't notify the company, publicly publishes the exploit…and then casually notes that it has been fixed without acknowledgement.

    This isn't a case where a random user stumbles across an odd behavior, then demonstrates it in search of an explanation, or some sort of solution.

    What has been demonstrated is a kind of passive aggressive behavior with the intent to embarrass the company, and attempt to send some sort of subtle message, probably due to some kind of discontent or personal beef he has with Apple.  If you have any doubt about his stance, look at his Twitter feed.

    One would have to be foolish to fail to see through his act, and buy into whatever weak plausible deniability that might be suggested.

    There is no doubt Apple has issues, including how it runs its bug bounty program, and responds to its bug reports, but settling fire to a store where the clerk is rude to you, while other shoppers are inside, and then scurrying away to dial 911 and pretend to be the hero, isn't the way to resolve the issue.  That's weak bullshit.
    edited October 2021 williamlondonmuthuk_vanalingam
  • Reply 12 of 12
    genovellegenovelle Posts: 1,354member
    lkrupp said:
    As the article says, the researcher did not report the bug to Apple but published the exploit on social media. Now he wants recognition and compensation? Fuck him.
    It looks like just about everyone who has commented so far has the same opinion about this guy. However, the article  doesn’t state that he was looking for either compensation or credit. Maybe he didn’t do through the Bug Bounty Program because he didn’t want to be disappointed. Maybe he was just trying to be a “Good Samaritan “ and not expecting credit. 
    Then why is he complaining?
    williamlondon
Sign In or Register to comment.