Friday, September 24, 2021

iOS Vulnerabilities Either Unfixed or Uncredited

illusionofchaos (via Kosta Eleftheriou):

I want to share my frustrating experience participating in Apple Security Bounty program. I’ve reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.

Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI - in 120). I have waited much longer, up to half a year in one case.


Here are links to GitHub repositories that contain PoC source code that I’ve sent to Apple. Each repository contains an app that gathers sensitive information and presents it in the UI.

Khaos Tian:

This is kinda bad given Core Duet tracks a lot of user activities on device. Maybe Apple’s security team really believe that App Review will capture this 🙃

Felix Krause:

Three 0-day iOS vulnerabilities for unauthorized access to medical data, iMessage, third party messengers, device usage, ...


Comments RSS · Twitter

Leave a Comment