A security researcher accuses Apple of ignoring more zero-day vulnerabilities in iOS 15

Apple upgraded its security rewards program back in 2019 by making it open to everyone, increasing payouts and more. However, the program has met with widespread criticism from the infosec community. Now another security researcher has shared his experience claiming that Apple did not give them credit for one zero-day bug they reported, which has been fixed, and that there are three more zero-day vulnerabilities in iOS 15.

Security researcher illusionofchaos shared his experience in a blog post, including a claim that Apple knew about and ignored three zero-day vulnerabilities since March, and they are in iOS 15.

I want to share my frustrating experience by participating in the Apple Security Bounty program. This year, I reported four 0-day vulnerabilities between March 10 and May 4, three of which are still present in the latest version of iOS (15.0), and one was fixed in 14.7, but Apple chose to cover it up and not they list it on the security content page. When I confronted them, they apologized, assured me that it happened due to processing issues, and promised to list it on the security content page of the next update. Since then, three editions have been published and each time they have broken their promise.

illusionofchaos says they have again asked Apple for an explanation, including that they will publish their research – in line with the guidelines on responsible disclosure – but Apple has not responded.

Ten days ago I asked for an explanation and then I warned that I would publish my research if I didn’t get an explanation. My request was ignored so I do what I said I would. My actions comply with the guidelines for responsible disclosure (Google Project Zero detects vulnerabilities within 90 days of reporting them to the vendor, ZDI 120). I waited much longer, up to half a year in one case.

illusionofchaos shared details about three other zero-day vulnerabilities they found, which include “Gamed 0-day”, “Nehelper Enumerate Installed Apps 0-day” and “Nehelper Wifi Info 0-day”, including proof of concept source code.

Here is an overview of each of them:

Played 0 days

Each application installed from the App Store can access the following data without any user query:

  • Apple ID email address and full name associated with it
  • Apple ID authentication token that allows access to at least one of the endpoints on * on behalf of the user
  • Full access to the file system for reading the Core Duet database (contains a list of contacts from mail, SMS, iMessage, third-party messaging applications and metadata about all user interactions with those contacts (including timestamps and statistics), also some attachments (such as URLs) and texts)
  • Full access to the file system for reading the speed dial database and address book database, including contact pictures and other metadata, such as creation and modification dates (I just checked on iOS 15, and this one is unavailable, so one had to be quietly fixed recently)

Nehelper lists the installed applications for 0 days

Vulnerable allows any application installed by a user to determine if an application is installed on the device based on its package ID.

Nehelper Wifi Info 0 days

XPC endpoint accepts the parameter provided by the user sdk-version, and if its value is less than or equal to 524288, pass check is skipped. This allows any eligible application (e.g. that has site access authority) to gain access to Wifi data without the necessary rights. This is happening in -[NEHelperWiFiInfoManager checkIfEntitled:] u /usr/libexec/nehelper.

Two perspectives

Stepping back to see the bigger picture, Apple said its bug-escaping program “escaped success,” while the infosec community shared a number of specific criticisms and concerns about the program. This includes allegations that Apple did not respond or did not respond immediately, as well as that Apple did not pay for the detected deficiencies that meet the awards program guidelines.

More importantly, earlier this month we learned that Apple has hired a new leader for its security program with the goal of “reforming”.

FTC: We use automatic affiliate links to make money. More.

For more news about Apple, check out 9to5Mac on YouTube:

Source link

Naveen Kumar

Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button