Mike Peterson-xl.jpg)
A security researcher claims that Apple snubbed them on a zero-day flaw they reported, and that the company has yet to fix three other zero-day vulnerabilities that are now present in iOS 15.
In a blog post on Friday, security researcher illusionofchaos wrote about their "frustrating experiencing participating in the Apple Security Bounty program." The program is meant to offer payments to independent researchers for finding flaws in Apple's systems.
The researcher says they submitted four zero-day vulnerabilities to Apple between March 10 and May 4. One of those vulnerabilities was patched in iOS 14.7, but the researcher said Apple "decided to cover it up and not list it on the security content page."
"When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update," illusionofchaos wrote. "There were three releases since then and they broke their promise each time."
Additionally, three of the other security flaws are still present in the released version of iOS 15. The researcher said Apple has ignored disclosure of the iOS flaws.
"Ten days ago I asked for an explanation and warned then that I would make my research public if I don't receive an explanation," illusionofchaos said. "My request was ignored so I'm doing what I said I would. My actions are in accordance with responsible disclosure guidelines."
The three vulnerabilities include a flaw that allows apps downloaded from the iOS App Store to read data like Apple ID credentials and information about a user's contacts. Another flaw allows any app to check whether any other app is installed on a device, while the third allows apps with location services permissions to gain access to Wi-Fi information.
This is not the first time a security researcher has voiced concerns about Apple's Security Bounty program. Earlier in September, a report collected a slew of complaints about the initiative, including researchers calling out poor communication, payment confusion, and other issues.
Apple first overhauled its bounty program in 2019, opening it to any security researcher and increasing payouts. Since then, Apple has called the program a "runaway success."
The same report collecting researcher complaints also indicated that Apple has hired a new executive to oversee and reform its bug bounty program.
AppleInsider Staff
Malcolm Owen
Oliver Haslam
Andrew O'Hara
Wesley Hilliard
William Gallagher
Christine McKee
15 Comments
What a huge mistake from Apple! With the Game Center exploit I manage to retrieve all contacts from the address book! Even after I deployed a profile disabling Game Center! This is not good at all.
Apple will surely put that on Corona and difficulties to coordinate, but still, this is really not good as any developer that also new about this exploit could have used it.
Looking forward to reading the excuse from Apple.
When do you think Apple will release a new iOS software update?
This is why software should be released when it's ready, not on a fixed yearly schedule. Quite regularly promised features get pushed back to the next update.
No biggy. It's software bug so will be fixed in dot release.
I have not looked at the actual details of the third one, and am working just from the description here
but based on that description, this is not a bug, but by design. There are APIs that allow you to get WiFi information, and because, through triangulation, that WiFi I formation could be used to deduce location pretty accurately in many cases, Apple requires location services permission be granted to use the WiFi info APIs. The app I work on needs WiFi I formation (vertical market app — not consumer app) and we’ve had to deal with this and have gone back and forth with Apple on the requirements for this. We have to ask for location services permission but we don’t actually need the persons location.
I wonder if Apple did not fix the issues because its own software relied on the feature in some way? I have reported privacy security issues in the past and had them roundly ignored, sometimes for years. For example: No app should be able to access your contact list. Why? Because those contacts have not given permission to have their name, email and address sent to some random app developer. It's their personal information the app is requesting, not yours. Apple has many blind spots like this in their personal information security.