Last month, security researcher Denis Tokarev, aka illusionofchaos, shared his experience of reporting three vulnerabilities to Apple on day zero with specific criticisms about how the company reacted slowly, acted and did not give it credit for one of the three bugs patched. Now it seems that Apple has fixed another bug in day zero, this one in iOS 15, which Tokarev discovered earlier this year, without giving him credit.
In September, Tokarev said that, after waiting up to half a year since he reported some of the vulnerabilities to Apple, he decided to release the information.
Ten days ago I asked for an explanation and then I warned that I would publish my research if I didn’t get an explanation. My request was ignored so I do what I said I would. My actions comply with the guidelines for responsible disclosure (Google Project Zero detects vulnerabilities within 90 days of reporting them to the vendor, ZDI 120). I waited much longer, up to half a year in one case.
In late September, Tokarev shared that he had received a response from Apple saying they were still working on “problems” and apologized for the delay.
In his September blog post, Tokarev described in detail a serious zero-day error (one in three) that would allow any app installed from the App Store to access personal user data, such as Apple ID email and full name, tokens for Apple ID verification, full access to files of the entire Core Duet database system and much more.
Now Tokarev says Apple patched the feature day zero it discovered in a security update for iOS 15.0.2 without attributing it to it (via BleepingComputer).
After the first error on day zero that Tokarev discovered and reported to Apple, and he did not get the credit when it was corrected in iOS 14.7 (July 19), the company told him:
“Due to processing issues, your credit will be included in the security instructions in the upcoming update. We apologize for the inconvenience. ”
After the second was patched in iOS 15.0.2 thanks to an “anonymous researcher”, Tokarev said that Apple responded within six hours, but obviously had no way to solve the problem of proper citation. Apple, meanwhile, has yet to respond to a zero-day analysis it found to be patched in iOS 14.7.
Tokarev was asked to keep the latest emails from Apple secret, and he followed suit at this point.
FTC: We use automatic affiliate links to make money. More.
For more news about Apple, check out 9to5Mac on YouTube:
Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.