Apple ignored reports of three big security problems in iOS 15, researcher says

By Mike Peterson

A security researcher claims that Apple snubbed them on a zero-day flaw they reported, and that the company has yet to fix three other zero-day vulnerabilities that are now present in iOS 15.

Credit: Andrew O'Hara, AppleInsider

In a blog post on Friday, security researcher illusionofchaos wrote about their "frustrating experiencing participating in the Apple Security Bounty program." The program is meant to offer payments to independent researchers for finding flaws in Apple's systems.

The researcher says they submitted four zero-day vulnerabilities to Apple between March 10 and May 4. One of those vulnerabilities was patched in iOS 14.7, but the researcher said Apple "decided to cover it up and not list it on the security content page."

"When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update," illusionofchaos wrote. "There were three releases since then and they broke their promise each time."

Additionally, three of the other security flaws are still present in the released version of iOS 15. The researcher said Apple has ignored disclosure of the iOS flaws.

"Ten days ago I asked for an explanation and warned then that I would make my research public if I don't receive an explanation," illusionofchaos said. "My request was ignored so I'm doing what I said I would. My actions are in accordance with responsible disclosure guidelines."

The three vulnerabilities include a flaw that allows apps downloaded from the iOS App Store to read data like Apple ID credentials and information about a user's contacts. Another flaw allows any app to check whether any other app is installed on a device, while the third allows apps with location services permissions to gain access to Wi-Fi information.

This is not the first time a security researcher has voiced concerns about Apple's Security Bounty program. Earlier in September, a report collected a slew of complaints about the initiative, including researchers calling out poor communication, payment confusion, and other issues.

Apple first overhauled its bounty program in 2019, opening it to any security researcher and increasing payouts. Since then, Apple has called the program a "runaway success."

The same report collecting researcher complaints also indicated that Apple has hired a new executive to oversee and reform its bug bounty program.