Apple upgraded its security rewards program back in 2019 by making it open to everyone, increasing payouts and more. However, the program has met with widespread criticism from the infosec community. Now another security researcher has shared his experience claiming that Apple did not give them recognition for one zero-day bug they reported, which has been fixed, and that there are three more zero-day vulnerabilities in iOS 15.
Update 9/27: After publicly sharing his experience, Apple responded to illusionofchaos security researcher, named Denis Tokarev.
According to the motherboard, here is what Apple officially replied, according to Tokarev:
“We have seen your blog on this issue and your other reports. We apologize for the delay in the response, “wrote an Apple employee. “We want to inform you that we are still researching these issues and how we can address them to protect customers. Thank you again for taking the time to report us with these issues, we appreciate your help. Let us know if you have any questions. ”
The motherboard confirmed an email from Apple to Tokarev as legitimate confirming that it came from an Apple-owned server. The motherboard also requested more feedback than those in the infosec community:
“While I’m glad that Apple now seems to take this particular situation more seriously, it’s more of a reaction to bad printing than anything else,” said Nicholas Ptacek, a researcher working for SecureMac, a cybersecurity company that focuses on Apple computers.
Meanwhile, another cyber security veteran said:
But the way Apple has handled this whole process, given that its bugging program is more than five years old, “is not normal and should be considered normal,” says Katie Moussouris, a cybersecurity expert who in essence, she invented the concept of rewarding mistakes more. than 10 years ago while she was at Microsoft.
Security researcher illusionofchaos shared his experience in a blog post, including a claim that Apple knew about and ignored three zero-day vulnerabilities since March, and those are in iOS 15.
I want to share my frustrating experience by participating in the Apple Security Bounty program. This year, I reported four 0-day vulnerabilities between March 10 and May 4, three of which are still present in the latest version of iOS (15.0), and one was fixed in 14.7, but Apple chose to cover it up and not they list it on the security content page. When I confronted them, they apologized, assured me that it happened due to processing issues, and promised to list it on the security content page of the next update. Since then, three editions have been published and each time they have broken their promise.
illusionofchaos says he has again asked Apple for an explanation, including that he will publish his research – in line with guidelines on responsible data disclosure – but Apple has not responded.
Ten days ago I asked for an explanation and then I warned that I would publish my research if I didn’t get an explanation. My request was ignored so I do what I said I would. My actions comply with the guidelines for responsible disclosure (Google Project Zero detects vulnerabilities within 90 days of reporting them to the vendor, ZDI 120). I waited much longer, up to half a year in one case.
illusionofchaos shared details of the three other zero-day vulnerabilities he discovered, which include “Gamed 0-day”, “Nehelper Enumerate Installed Apps 0-day” and “Nehelper Wifi Info 0-day”, including proof of concept source code.
Here is an overview of each of them:
Played 0 days
Each application installed from the App Store can access the following data without any user query:
- Apple ID email address and full name associated with it
- Apple ID authentication token that allows access to at least one of the endpoints on * .apple.com on behalf of the user
- Full access to the file system for reading the Core Duet database (contains a list of contacts from mail, SMS, iMessage, third-party messaging applications and metadata about all user interactions with those contacts (including timestamps and statistics), also some attachments (such as URLs) and texts)
- Full access to the file system for reading the speed dial database and address book database, including contact pictures and other metadata, such as creation and modification dates (I just checked on iOS 15, and this one is unavailable, so one had to be quietly fixed recently)
Nehelper lists the installed applications for 0 days
Vulnerable allows any application installed by a user to determine if an application is installed on the device based on its package ID.
Nehelper Wifi Info 0 days
com.apple.nehelper accepts the parameter provided by the user
sdk-version, and if its value is less than or equal to 524288,
com.apple.developer.networking.wifi-infothe pass check is skipped. This allows any eligible application (e.g., which has site access authority) to gain access to Wifi data without the necessary rights. This is happening in
-[NEHelperWiFiInfoManager checkIfEntitled:] u
Stepping back to see the bigger picture, Apple said its bug-escaping program “escaped success,” while the infosec community shared a number of specific criticisms and concerns about the program. This includes allegations that Apple did not respond or did not respond immediately, as well as that Apple did not pay for the detected deficiencies that meet the guidelines of the award program.
More importantly, earlier this month we learned that Apple has hired a new leader for its security program with the goal of “reforming”.
FTC: We use automatic affiliate links to make money. More.
For more news about Apple, check out 9to5Mac on YouTube:
Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.