Audiences support AppleInsider and can earn a commission when you shop through our links. These partnerships do not affect our editorial content.
Apple’s latest update for iOS 15 does not contain patches for three zero-day vulnerabilities that were reported to the company a few months ago and released last week.
In September, security researcher Denis Tokarev, better known by his pseudonym illusionofcha0s, claimed that Apple had ignored several reports related to the newly discovered zero-day vulnerabilities present in iOS, the company’s leading mobile operating system. Tokarev reported four bugs to Apple between March 10 and May 4, and while one problem was patched in iOS 14.7, the other three stay active in the latest iOS 15.0.1.
By its own admission, the zero-day vulnerabilities that last are not critical, and one relates to an error that could allow malicious apps to read Apple user IDs if they are somehow allowed access to the App Store.
However, Apple’s handling of the findings, reported through the Bug Bounty program, does not suit Tokarev, who wrote a blog in late September detailing his interaction with the tech giant’s team. According to the researcher, Apple failed to list the security issue it patched in iOS 14.7 and did not add bug information in subsequent security page updates.
“When I confronted them, they apologized, assured me it was due to processing issues, and promised to put it on the security content page in the next update,” the illusionofchaos wrote at the time. “Since then, three editions have been published and each time they have broken their promise.”
Apple saw Tokarev’s blog and apologized again. The company said its teams were still investigating the three remaining vulnerabilities as of Sept. 27, but Tokarev announced deficiencies last week in line with standard vulnerability detection protocols.
Ethical hackers have criticized Apple’s program to make up for mistakes and the company’s general conduct of public security researchers, citing a lack of communication, payment issues and other problems. The initiative offers payments for mistakes and abuses.
Earlier this week, researcher Bobby Rauch publicly revealed the AirTag vulnerability after Apple failed to answer basic questions about the bug and whether Rauch would be credited with the discovery. The error allows attackers to insert code that could redirect good Samaritans to a malicious website when the device is scanned in lost mode.
Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.