Researcher discloses three iOS zero-days, still exploitable in iOS 15, and criticizes...

Daniel Sims

Posts: 1,335   +43
Staff
In brief: An anonymous researcher disclosed three zero-day vulnerabilities for iOS this week, claiming Apple's latest iOS15 update is still vulnerable to them. The researcher criticized Apple for ignoring warnings about the vulnerabilities, saying they first disclosed them to Apple in April. The vulnerabilities could be used to expose Apple IDs, real names, Wi-Fi information, and more.

In a blog post, the researcher says they first sent a report of four vulnerabilities to the Apple Security Bounty program on April 29. Apple addressed one of the vulnerabilities in iOS 14.7 in June, but didn't mention it in the security notes for that update. The researcher says Apple still hasn't mentioned it in subsequent security notes, addressed the other three vulnerabilities, or given them credit for discovering the vulnerabilities.

The researcher warned Apple on September 13 that they would make their research public if it did not address the remaining vulnerabilities. This week's blog post containing full descriptions of the security holes, as well as links to their GitHub repositories, seems to be in response to Apple's release of iOS 15, which has not fixed them.

One vulnerability can allow any app, without a prompt from the user, to access an Apple ID along with the full name associated with it. It can also access a list of contacts from SMS, Mail, iMessage, and 3rd-party messaging apps. It can reach metadata about how users interact with those contacts which includes things like timestamps, URLs, and texts. The researcher thinks iOS 15 may have partially fixed this exploit.

Another vulnerability lets any installed app determine whether any other app is also installed by using its bundle ID. The third vulnerability lets any app potentially access Wi-Fi info it isn't supposed to. iOS 14.7 fixed a vulnerability that could let apps access analytics information like medical information, screen time, what languages the users viewed in Safari, and more.

A software engineer has since corroborated the claim that at least one of the exploits works in iOS 15.

This week Apple did, however, release iOS 12.5.5, a security update for devices still running iOS 12. That includes older devices like the iPhone 5 and iPhone 6 which stopped receiving major updates after iOS 12. It addresses security holes that could lead to arbitrary code execution.

Permalink to story.

 
So he’s throwing his toys out of the pram because he did not get any money or acknowledgement for finding these bugs. When it’s entirely possible that he wasn’t the only one or the first one who found them. And in response took his findings public out of frustration, throwing Apple users under a bus.

Yeah it sounds like he really cares about users security…

I’d like to condemn Apples security but whenever this happens on Android Google just advise the OEM to release an update, which we know rarely happens, especially on older devices. So whilst Apple could be better, they are market leaders in security.

Still, come on Apple, you’ve only released two updates this month chop chop!

 
The six month grace period is not something he made up, I've seen the same or shorter from other reputable organizations. Google's Project Zero disclosure policy is at 90 days for the patch + 30 days for user adoption for example.

Yes, you're right it's entirely possible he wasn't the only person to find them, with some of those other people being active exploiters. That's why public disclosure is needed, both for pressure on the vendors to fix and for the most vulnerable/concerned to know so they can react accordingly.

The only real question here is why did Apple not close these with plenty of notice to do so. I wonder if some of these were intentionally kept open for whatever reason, such as those police devices that let an officer pull off contacts & messages on a traffic stop just by attaching a cable...
 
So he’s throwing his toys out of the pram because he did not get any money or acknowledgement for finding these bugs. When it’s entirely possible that he wasn’t the only one or the first one who found them. And in response took his findings public out of frustration, throwing Apple users under a bus.

Yeah it sounds like he really cares about users security…

I’d like to condemn Apples security but whenever this happens on Android Google just advise the OEM to release an update, which we know rarely happens, especially on older devices. So whilst Apple could be better, they are market leaders in security.

Still, come on Apple, you’ve only released two updates this month chop chop!
Or Apple could do this thing call "communication". A simple "yup, someone found that already, working on a fix" (you get what I mean).

Don't need to be a white knight for Apple every time, especially since 6 months is pretty generous (along with other warnings).
 
The thing is you make more money selling zero days to NSO group than bug bounties etc by far.
So I think companies should pander a little to these researchers
 
Or Apple could do this thing call "communication". A simple "yup, someone found that already, working on a fix" (you get what I mean).

Don't need to be a white knight for Apple every time, especially since 6 months is pretty generous (along with other warnings).
I’m not defending Apple, as your comment mentions, this is not in line with Apples usual standards. This should have been patched and 6 months is a long time.

However If you look at the terms and conditions it does state;

“For the protection of our customers, Apple doesn't disclose, discuss, or confirm security issues until our investigation is complete and any necessary updates are generally available”

As some of the vulnerabilities are unfixed this might explain why he hasn’t had a response. This makes sense, you don’t want to confirm a vulnerability to anyone outside of the company for obvious reasons. There appears to be no time limit on the bug bounty programme so the researcher deciding to go public after 6 months is a condition he decided on, not Apple. It is a sort of standard in other organisations but it’s not a contract and it’s not mentioned anywhere in Apples programme.

But clearly this researcher has found a vulnerability, threatened Apple with it and then taken it public. You could argue that this is the kind of person you need to patch your software against. There is no benefit for anyone for him to go public with it. Apple loses face, the public become vulnerable. It seems like he’s taken revenge for Apple not acknowledging him when it’s completely at their discretion to do so.

Usually in the first month or so after a new OS iteration there are further security updates, you never know his vulnerabilities might have been fixed next week in a patch and at which point Apple would be able to securely confirm the issues existence.
 
“For the protection of our customers, Apple doesn't disclose, discuss, or confirm security issues until our investigation is complete and any necessary updates are generally available”

Doesn't this sound pompous - I sure Apple communicate with outsiders all the time like the big boys .

This is one reason people hate these big Corps - there is no natural justice - except at crippling costs - eg Epic vs Apple ( not saying Epic right ) . ie we make the rules , we will twist the rules to always favour us - we will make it hard to even have a normal conversation with us .
I took Booking.com to court and won - they were evasive as possible - they hide local contact info - Thankfully I knew to search NZ company register - so they could be served - they settled in full 30 minutes before the court case - I knew they would as they disclosed no evidence before the court case ( legal requirement to submit evidence to other side 14 days before hearing ) - companies like Apple . Booking.com try and be obtuse as possible - you might as well be head butting a brick wall .

So going to Media is the ONLY recourse most of us have .
My court case cost NZ $90 to file - Disputes Tribunal -no lawyers - kind of sad case didn't go ahead as no matter what legal leg they stood on - I would of kicked it out - ie if they claimed A I would of got them on B - if they claimed B I would of got them on A . A & B were either/or .
Nor did they argue in Good faith - Apple/Google won't with you as well
 
“For the protection of our customers, Apple doesn't disclose, discuss, or confirm security issues until our investigation is complete and any necessary updates are generally available”

Doesn't this sound pompous - I sure Apple communicate with outsiders all the time like the big boys .

This is one reason people hate these big Corps - there is no natural justice - except at crippling costs - eg Epic vs Apple ( not saying Epic right ) . ie we make the rules , we will twist the rules to always favour us - we will make it hard to even have a normal conversation with us .
I took Booking.com to court and won - they were evasive as possible - they hide local contact info - Thankfully I knew to search NZ company register - so they could be served - they settled in full 30 minutes before the court case - I knew they would as they disclosed no evidence before the court case ( legal requirement to submit evidence to other side 14 days before hearing ) - companies like Apple . Booking.com try and be obtuse as possible - you might as well be head butting a brick wall .

So going to Media is the ONLY recourse most of us have .
My court case cost NZ $90 to file - Disputes Tribunal -no lawyers - kind of sad case didn't go ahead as no matter what legal leg they stood on - I would of kicked it out - ie if they claimed A I would of got them on B - if they claimed B I would of got them on A . A & B were either/or .
Nor did they argue in Good faith - Apple/Google won't with you as well
Whilst I don’t disagree particularly on a any given point. I do also think that discovering a vulnerability doesn’t entitle you to anything. Not getting a response or a fix from Apple is not justification for releasing a vulnerability to the public. Releasing the vulnerability to the public can put general users at risk and he is responsible for that, not Apple.

This is bad for Apple, it’s bug bounty programme is supposedly designed to prevent exactly this. But I don’t have much sympathy for the researcher.
 
Whilst I don’t disagree particularly on a any given point. I do also think that discovering a vulnerability doesn’t entitle you to anything. Not getting a response or a fix from Apple is not justification for releasing a vulnerability to the public. Releasing the vulnerability to the public can put general users at risk and he is responsible for that, not Apple.

This is bad for Apple, it’s bug bounty programme is supposedly designed to prevent exactly this. But I don’t have much sympathy for the researcher.
You're entitled to your personal opinion but please understand that public disclosure after notice of a reasonable grace period policy is common among professional security researchers, for reasons of public good (and not about trying to collect a bounty, which is usually peanuts anyway.)

Exceptions are of course made on justified request but there is no indication Apple asked for one here.

You trying to make it about this one guy having some sort of temper tantrum is incredibly unfair to him and does not reflect particularly well on your understanding either.

If you're interested you can find academic and commercial literature discussing why these stances have been adopted, which will do a far better job explaining it than I can here.
 
You're entitled to your personal opinion but please understand that public disclosure after notice of a reasonable grace period policy is common among professional security researchers, for reasons of public good (and not about trying to collect a bounty, which is usually peanuts anyway.)

Exceptions are of course made on justified request but there is no indication Apple asked for one here.

You trying to make it about this one guy having some sort of temper tantrum is incredibly unfair to him and does not reflect particularly well on your understanding either.

If you're interested you can find academic and commercial literature discussing why these stances have been adopted, which will do a far better job explaining it than I can here.
By the sounds of things it is probably me who should be schooling you. For a start the money involved is actually quite significant. It can be hundreds of thousands of dollars. Also, these firms receive literally thousands of these reports every week. It is naive and unreasonable to expect them all to be responded to.

I do know quite a bit about cyber security, if you do want any further advice dm me and I will be more than happy to educate you further,
 
Here is Google's FAQ explain their disclosure policies. Maybe you can school them about how little they know about their field or what its like being a big company in the public eye.


I do agree with you on one thing: firms don't owe anyone in particular a response. If the issue is too trivial to be a public concern, it doesn't need a fix or a comment. But by that same token there should also be no objection to it being a public discussion either.

If the issue is serious enough that it can not be disclosed, then yes it is completely reasonable to expect if not a timely fix then a reply requesting an extension.
 
Back