Apple has quietly patched a zero-day vulnerability that could have given apps access to sensitive information in iOS 15.0.2, but reportedly did not credit the discoverer of the flaw.
The vulnerability was discovered by software developer Denis Tokarev seven months before the release of iOS 15.0.2. Back in September, Tokarev penned a blog post detailing some of his interactions with Apple's Bug Bounty Program, including the fact that he went uncredited on another fixed flaw.
According to Bleeping Computer, Tokarev reached out to Apple after the release of iOS 15.0.2 to inquire about the lack of credit. Apple replied by asking him to keep the contents of their email exchange confidential.
The flaw was an exploitable bug that could have given user-installed apps from the App Store unauthorized access to sensitive data that would normally be protected by sandboxing or Transparency, Consent, and Control protections. Apple says those flaws are worth up to a $100,000 bounty.
In total, Tokarev reported four vulnerabilities to Apple. The company fixed one of them in iOS 14.7 and the second in iOS 15.0.2. Two of the zero-day flaws are still present in the latest version of iOS 15. Apple said they were "still investigating" back in September.
This isn't the first time that a security researcher said they were snubbed by Apple's bug bounty program. Back in September, a report shed light on complaints of security researchers being ignored, going uncredited, or failing to receive payment.
Apple, for its part, characterizes the bug bounty program as a "runaway success." It noted that it works to correct any mistakes that it makes quickly.
18 Comments
Cost savings like this are how Apple manages to keep its prices so low…
Seems like a few people at Apple do not operate in the best interest of the company and thus make the whole organization look bad. Why is that allowed to happen. Clean house and give credit. The bounty is budget dust for Apple.
Would be nice if my two old iPads Pro would update to 15.0.2, but they just sit at "installing" for hours on end. Same behavior was observed with the 15.0.1 update, too. Perhaps they've already been compromised.
Given the secrecy of Apple, there is no way for the outsider to know if this bug is zero day or known for years.