Apple quietly fixes zero-day flaw in iOS 15.0.2, but didn't credit its finder

AppleInsider · October 13, 2021 8:02PM

Apple has quietly patched a zero-day vulnerability that could have given apps access to sensitive information in iOS 15.0.2, but reportedly did not credit the discoverer of the flaw.

Credit: Andrew O'Hara, AppleInsider

The vulnerability was discovered by software developer Denis Tokarev seven months before the release of iOS 15.0.2. Back in September, Tokarev penned a blog post detailing some of his interactions with Apple's Bug Bounty Program, including the fact that he went uncredited on another fixed flaw.

According to Bleeping Computer, Tokarev reached out to Apple after the release of iOS 15.0.2 to inquire about the lack of credit. Apple replied by asking him to keep the contents of their email exchange confidential.

The flaw was an exploitable bug that could have given user-installed apps from the App Store unauthorized access to sensitive data that would normally be protected by sandboxing or Transparency, Consent, and Control protections. Apple says those flaws are worth up to a $100,000 bounty.

In total, Tokarev reported four vulnerabilities to Apple. The company fixed one of them in iOS 14.7 and the second in iOS 15.0.2. Two of the zero-day flaws are still present in the latest version of iOS 15. Apple said they were "still investigating" back in September.

This isn't the first time that a security researcher said they were snubbed by Apple's bug bounty program. Back in September, a report shed light on complaints of security researchers being ignored, going uncredited, or failing to receive payment.

Apple, for its part, characterizes the bug bounty program as a "runaway success." It noted that it works to correct any mistakes that it makes quickly.

Read on AppleInsider

equality72521 · October 13, 2021 9:12PM

Cost savings like this are how Apple manages to keep its prices so low…

AppleUfmyI · October 13, 2021 9:17PM

Seems like a few people at Apple do not operate in the best interest of the company and thus make the whole organization look bad. Why is that allowed to happen. Clean house and give credit. The bounty is budget dust for Apple.

tnet-primary · October 13, 2021 9:17PM

equality72521 said:

Cost savings like this are how Apple manages to keep its prices so low…

This was the comment of the year. Outstanding and well done.

cpsro · October 13, 2021 9:41PM

Would be nice if my two old iPads Pro would update to 15.0.2, but they just sit at "installing" for hours on end. Same behavior was observed with the 15.0.1 update, too. Perhaps they've already been compromised.

viclauyyc · October 13, 2021 10:12PM

Given the secrecy of Apple, there is no way for the outsider to know if this bug is zero day or known for years.

I don’t think Apple will be this cheap. After all, the reward is like a sand in a beach to Apple.

MissNomer · October 13, 2021 10:28PM

cpsro said:

Would be nice if my two old iPads Pro would update to 15.0.2, but they just sit at "installing" for hours on end. Same behavior was observed with the 15.0.1 update, too. Perhaps they've already been compromised.

Apparently it's a known issue. My original 9.7 IPP updated fine. Was your cellular?

elijahg · October 13, 2021 10:38PM

viclauyyc said:

Given the secrecy of Apple, there is no way for the outsider to know if this bug is zero day or known for years.

I don’t think Apple will be this cheap. After all, the reward is like a sand in a beach to Apple.

If they knew about a critical security bug and kept it under wraps without a fix that is as bad or worse than not paying the bug bounty.

FileMakerFeller · October 14, 2021 1:34AM

Is it possible that the flaws were reported together and Apple is waiting until all are fixed before closing the report and issuing credit and payment to the reporting developer?

Just trying really hard to find a reason for this approach from Apple. It's much more likely that the whole bug bounty system is mismanaged and under-funded because someone at Apple has decided it doesn't matter, and that someone is not getting heat from upper management about it.

Time for an email to Tim!

FileMakerFeller · October 14, 2021 1:36AM

AppleInsider said:

Apple, for its part, characterizes the bug bounty program as a "runaway success." It noted that it works to correct any mistakes that it makes quickly.

Hmm. This sounds a lot like the App Store Review appeals "process." Perhaps it's not surprising that there are similar outcomes.

dewme · October 14, 2021 2:07AM

This is a bad look for Apple, but I’d like to see Apple’s response to the claim. Hopefully the reported confidentiality request from Apple was not their last engagement with the researcher in question. It would be nice if an independent party like AppleInsider could follow up with both sides to see where this lands.

It blows my mind that a process as serious as Apple’s Bug Bounty Program would not have a very regimented incident tracking system in place. The system should include formal notification to the submitter about exactly what type of public credit and financial compensation will be awarded. The person submitting the report should not be waiting around and reading release notes every time a new release drops to see whether their submission is given the credit it deserves.

If Apple doesn’t provide the proper assurances and follow-through, I think that it’s far more likely that researchers will get frustrated and try to embarrass Apple.

elijahg · October 14, 2021 1:04PM

dewme said:

It blows my mind that a process as serious as Apple’s Bug Bounty Program would not have a very regimented incident tracking system in place. The system should include formal notification to the submitter about exactly what type of public credit and financial compensation will be awarded. The person submitting the report should not be waiting around and reading release notes every time a new release drops to see whether their submission is given the credit it deserves.

If Apple doesn’t provide the proper assurances and follow-through, I think that it’s far more likely that researchers will get frustrated and try to embarrass Apple.

Considering it all goes through (what used to be called) radar, it's no surprise. Apple's bug reporting has been terrible for years. It's as if they don't really want to know about bugs. The main problem is how opaque the process is; I have had bugs open for literally years with no replies, some issues get one reply from engineering to which my answer goes ignored, others marked as duplicates but no way to see the details of the other issue, and no notification of whether the issue has been fixed or a timeline of when it might be. And Apple's release notes stating only "bug fixes and performance improvements" is incredibly lazy.

Since Apple doesn't seem to care about bugs until they get media attention, and fixing them doesn't directly result in more profit, I can't say I'm surprised they're not really interested in paying out the bug bounties.

larryjw · October 14, 2021 1:16PM

dewme said:

This is a bad look for Apple, but I’d like to see Apple’s response to the claim. Hopefully the reported confidentiality request from Apple was not their last engagement with the researcher in question. It would be nice if an independent party like AppleInsider could follow up with both sides to see where this lands.

It blows my mind that a process as serious as Apple’s Bug Bounty Program would not have a very regimented incident tracking system in place. The system should include formal notification to the submitter about exactly what type of public credit and financial compensation will be awarded. The person submitting the report should not be waiting around and reading release notes every time a new release drops to see whether their submission is given the credit it deserves.

If Apple doesn’t provide the proper assurances and follow-through, I think that it’s far more likely that researchers will get frustrated and try to embarrass Apple.

Absolutely correct. Just because someone publicly claims they are the discoverer of some bug, does not mean they were the first to make the discovery, for example. Apple must be more transparent to researchers and the public about critical bugs. I think in the 15.0.2 case, they credited "anonymous" with the bug find in question.

elijahg · October 14, 2021 1:22PM

larryjw said:

dewme said:

This is a bad look for Apple, but I’d like to see Apple’s response to the claim. Hopefully the reported confidentiality request from Apple was not their last engagement with the researcher in question. It would be nice if an independent party like AppleInsider could follow up with both sides to see where this lands.

It blows my mind that a process as serious as Apple’s Bug Bounty Program would not have a very regimented incident tracking system in place. The system should include formal notification to the submitter about exactly what type of public credit and financial compensation will be awarded. The person submitting the report should not be waiting around and reading release notes every time a new release drops to see whether their submission is given the credit it deserves.

If Apple doesn’t provide the proper assurances and follow-through, I think that it’s far more likely that researchers will get frustrated and try to embarrass Apple.

Absolutely correct. Just because someone publicly claims they are the discoverer of some bug, does not mean they were the first to make the discovery, for example. Apple must be more transparent to researchers and the public about critical bugs. I think in the 15.0.2 case, they credited "anonymous" with the bug find in question.

The current opacity though means that with zero proof, they can claim "anonymous" reported the bug and then refuse to pay out.

michelb76 · October 15, 2021 6:44AM

What's mostly missing here is transparency on Apple's part. These bugs could be harder to fix and may need several departments to work together which is nearly impossible at Apple. so maybe we get 2-3 patches for these bugs. They could at least communicate much, much better.

nicholfd · October 15, 2021 2:18PM

@AppleInsider -> "Apple quietly fixes" - How was this update/security patch "quiet"? It was released, with the same details as every other update/patch, in the past. It wasn't "quietly fixed".

It is published right here, Apple Security Updates, with a link to the details right here, About the security content of iOS 15.0.2 and iPadOS 15.0.2, including the same details as included with every other security update in the past.

Come on AppleInsider...

maltz · October 15, 2021 3:15PM

AppleInsider said:

The company fixed one of them in iOS 14.7 and the second in iOS 15.0.2.

So what I want to know is - is Apple still updating iOS 14 or not? Part of the whole point of allowing people to stay on the old OS was so they could receive security updates without risking the pitfalls of a new major version, but since iOS 15 dropped, they've issued security updates of varying severity in all 3 releases, but none for iOS 14.

daniPhone · October 16, 2021 10:21AM

Update killed the News widget for me. It’s gone completely

Apple quietly fixes zero-day flaw in iOS 15.0.2, but didn't credit its finder

Comments