In 2019, Apple opened its Security Bounty program to the public, offering payouts of up to $ 1 million to researchers who share critical security vulnerabilities in iOS, iPadOS, macOS, tvOS, or watchOS, including techniques for their exploitation. The program is designed to help Apple keep its software platforms as secure as possible.
Since then, reports have emerged indicating that some security researchers are dissatisfied with the program, and now a security researcher using the pseudonym “illusionofchaos” has shared their similar “frustrating experience”.
In a blog post featured by Costa Eleftheriou, an unnamed security researcher said they reported four zero-day vulnerabilities to Apple between March and May this year, but said three vulnerabilities were still present in iOS 15 and one had been fixed in iOS 14.7, without Apple giving them any credit.
I want to share my frustrating experience by participating in the Apple Security Bounty program. This year, I reported four 0-day vulnerabilities between March 10 and May 4, three of which are still present in the latest version of iOS (15.0), and one was fixed in 14.7, but Apple chose to cover it up and not they list it on the security content page. When I confronted them, they apologized, assured me that it happened due to processing issues, and promised to list it on the security content page of the next update. Since then, three editions have been published and each time they have broken their promise.
The person said that last week they warned Apple that they would publish their research if they did not receive an answer. However, they said that Apple ignored the request, which led them to publicly reveal the vulnerabilities.
One of the zero-day vulnerabilities relates to Game Center and reportedly allows any app installed from the App Store to access some user data:
– Apple ID email address and full name associated with it
– Apple ID authentication token that allows access to at least one of the endpoints on * .apple.com on behalf of the user
– Full access to the file system for reading the Core Duet database (contains a list of contacts from mail, SMS, iMessage, third-party messaging applications and metadata about all user interactions with those contacts (including timestamps and statistics), as and some attachments (like URLs and texts)
– Full access to the file system for reading the speed dial database and address book database, including contact images and other metadata such as creation and modification dates (I just checked on iOS 15, and this one is unavailable, so one had to be quietly fixed recently))
The other two zero-day vulnerabilities that are apparently still present in iOS 15, as well as one patched in iOS 14.7, are also described in detail in a blog post.
Click to see the special use of Game Center. It’s rude. Things like this should almost never fail through a functional security program. Instead, it’s common with Apple. It’s so deeply broken, but nothing changes. What will be needed? – Marco Arment (@marcoarment) September 24, 2021
Apple has not yet commented on the blog post. We will update this story if the company responds.
Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.