Apple patched an iOS lock screen bypass without crediting its discovery

Apple fixed a recently unearthed lock screen bypass with the release of iOS 15.0.1, but failed to publicly recognize the weakness or the person who discovered it.

In September, researcher Jose Rodriguez detailed an iOS vulnerability that enables attackers to bypass a secured iPhone lock screen and access notes through a combination of VoiceOver and common sharing tools.

Rodriguez published a proof of concept on his YouTube channel on Sept. 20, illustrating methods by which a user's notes can be copied and sent to another device. The researcher did not disclose the vulnerability to Apple prior to going public, saying at the time that he was "giving away" the exploit in hopes of shedding light on problems related to the tech giant's Bug Bounty Program.

As noted by Rodriguez in a Twitter post on Friday, Apple's iOS 15.0.1 release contains a fix for the lock screen bypass. Accompanying release notes show that Apple did not assign a CVE designation or provide credit to the researcher for discovering the flaw. The company pulled a similar move last month when it quietly fixed a macOS Finder bug.

A report last week saw researchers criticize Apple's Bug Bounty Program for a general lack of communication and issues with payouts for discovered vulnerabilities. Those sentiments were recently echoed by security researchers Denis Tokarev, Bobby Rauch and Rodriguez, all of whom discovered and reported bugs to Apple.

The tech giant's head of security engineering, Ivan Krstic, in an interview last month called the program a "runaway success," adding that Apple is gathering feedback as it continues to "scale and improve" the initiative. Apple works hard to address mistakes and "learn from them to rapidly improve the program," he said at the time.

Recent reports indicate that Apple hired a new team lead to reform the Bug Bounty Program.

12 Comments

elijahg 2823 comments · 18 Years

About 3 years ago

Well that confirms at least one of the problems with Apple's bug bounty program: Apple Sherlocked an exploit. Whowouldathunkit?

williamlondon 1426 comments · 14 Years

The sky really is falling.

Angmoh 26 comments · 4 Years

So what if it was reported earlier by some else as a bug or vulnerability?

"The researcher did not disclose the vulnerability to Apple prior to going public, saying at the time that he was "giving away" the exploit in hopes of shedding light on problems related to the tech giant's Bug Bounty Program."

My reading of this: he tried to report, but was not the first and therefore could not claim the bounty. Not every "researcher" is running their own YouTube channel. Most will be working for companies which do not allow their staff to run to the media to claim publicity.

Even if he was the first to discover, the problem for Rodriguez was that the moment he placed it on Youtube, he lost any IP rights. The video itself is copyrighted but the knowledge inside is now made public. Everyone can use it without needing to credit and this includes Apple.

citpeks 253 comments · 10 Years

Correct me if I'm wrong, I haven't been following this closely, but from what has been written here, this is how I read it:

1) Researcher discovers (another) bug, but as a means of protest and to draw attention, opts not to report new bug to Apple through the proper channels, and exposes it in a YouTube video instead. The "gives away" part, whether a direct quote or not, suggests researcher is wiling to forego the compensation, if not the credit, for the new discovery.

2) Apple fixes bug, without acknowledgement, or compensation.

3) Researcher now bemoaning the lack of credit/compensation, for a bug that wasn't reported, or formally submitted through established channels, just YouTube.

4) This is a researcher who has gone through the procedure before, and has been acknowledged, and compensated by Apple for that discovery, of another lock screen bug. He may have his issues with the system, but he cannot claim to not know how it works.

This, of course, doesn't preclude the possibility that Apple may have discovered the bug on its own, treated it as an internal patch, however unlikely that might be. There's also the possibility that is was indirectly mitigated as a side effect from patches made for other purposes. I'm not aware of the expected disclosure requirements of bugs found internally, or how closely they are enforced, but CVEs apply to publicly known vulnerabilities. Does a YouTube video formally qualify?

All I know is that ignoring, and making it a point to flout the system, however messed up you may think it is, might not be the best way to achieve the desired outcome, or effect change.

Such tactics are cheap, and pander to the lowest common denominator, and/or those incapable of applying critical thinking.

hackintoisier 86 comments · 5 Years

I mean these kinds of bugs are embarrassing. Not surprising that Apple or any other company doesn’t want to draw attention to them.

Also, if this one wasn’t reported thorough the proper channels, why would anyone expect to be given credit anyways?