illusionofchaos

About

Username
illusionofchaos
Joined
Visits
0
Last Active
Roles
member
Points
40
Badges
0
Posts
1
  • Apple fails to patch publicly disclosed zero-day flaws with iOS 15.0.1

    the zero-day vulnerabilities that persist are not critical, with one pertaining to a bug that could enable maliciously crafted apps to read users' Apple ID information if somehow allowed onto the App Store. 
    Thats a bit of an understatement.

    - Apple ID email and full name associated with it
    - Apple ID authentication token which allows to access at least one of the endpoints on *.apple.com on behalf of the user
    - Complete file system read access to the Core Duet database (contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user's interaction with these contacts (including timestamps and statistics), also some attachments (like URLs and texts)
    - Complete file system read access to the Speed Dial database and the Address Book database including contact pictures and other metadata like creation and modification dates
    - The vulnerability allows any user-installed app to determine whether any app is installed on the device given its bundle ID.
    - This makes it possible for any qualifying app (e.g. posessing location access authorization) to gain access to Wifi information without the required entitlement.

    Read my blog posts for details.
    dope_ahminefastasleepelijahgapplguyprismaticsfahlmancaladanianwatto_cobra