Denis Tokarev’s Four Zero-Days
Proof-of-concept exploit code for three iOS zero-day vulnerabilities (and a fourth one patched in July) was published on GitHub after Apple delayed patching and failed to credit the person who reported them.
Via Andy Ihnatko:
Defenders of a multi-trillion-dollar company can’t whine “But this stuff is harrrrrd…they operate at scaaale” in the face of evidence that Apple crunched all the numbers and found that the company’s DGAF Index on this issue was too high to merit action.
This is another moment when I remind everybody that Apple moved heaven and earth to refit and equip its stores to accommodate the sale of $12,000 solid gold gadget watches. They are capable of properly crediting a security researcher who’s saving our collective asses.
Finally: when they decline to properly recognize the people whose independent research makes iPhones safer, they’re actively discouraging them from disclosing deathly security problems via the route that’s keeps things safest for iPhone users: a confidential report to Apple.
This is why every time Apple defends itself from criticism by claiming that their actions, decisions, policies, whatever are “in the best interests of our users,” I nod and write “Apple responded to the controversy by making a sequence of noises familiar to seasoned observers.”
I want to share my frustrating experience participating in Apple Security Bounty program. I’ve reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.
Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI - in 120). I have waited much longer, up to half a year in one case.
Three others remain unaddressed, including a Game Center bug that allegedly allows any app installed from the App Store to access full Apple ID email and name, Apple ID authentication tokens, lists of contacts, and some attachments.
Denis Tokarev (Hacker News, MacRumors):
Only after I had published a post detailing three iOS 0-day vulnerabilities and expressing my frustration with Apple Security Bounty Program, I received a reply from Apple:
We saw your blog post regarding this issue and your other reports.
We apologize for the delay in responding to you. We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance.
Please let us know if you have any questions.
Indeed, I do have questions. The same ones that you have ignored. I’m gonna repeat them. Why was the fix for analyticsd vulnerability quietly included in iOS 14.7 update but not mentioned on its security content list? Why did you promise to include it in the next update’s list but broke your words not once but three times? Why do you keep ignoring these questions?
[…]
So in this article I’m going to dispute the claim that the App Store is safe, voice my complaints about the App Store review process and provide a detailed explanation (including source code) how malicious apps on the App Store conceal their functionality from the App Store review team and are able to sneak into the App Store.
Until we have some outrageously horrible events which will affect directly general population, all this facts will be comfortably avoided and “mitigated”.
This is systemic problem derived not only from bad management and absence of responsibility.
Apple quietly fixed gamed vulnerability in iOS 15.0.2 without giving me credit. Took them 7 months to fix it! Both of my other 0-days are still unpatched.
After this I’ve sent 2 emails to Apple, complaining about lack of credit for gamed and analytics vulns. They replied to the first one pretty fast (6hrs) saying “We ask you treat the following information as confidential”.
[…]
However, they haven’t replied to my second email continuing to ignore my questions about analyticsd vulnerability which I asked exactly a month ago.
Sergiu Gatlan (via Hacker News):
Other bug bounty hunters and security researchers have also reported having similar experiences when reporting vulnerabilities to Apple’s product security team via the Apple Security Bounty Program.
Some said bugs reported to Apple were silently fixed, with the company failing to give them credit, just as it happened in this case.
It’s no great surprise to anyone that Apple has a rocky relationship with many security researchers. Years ago, well-known researcher and co-author of the book “The Mac Hacker’s Handbook”, Charlie Miller, figured out how to get a “malicious” proof-of-concept app into the App Store, and reported this to Apple after having achieved it. His reward? A lifetime ban from Apple’s developer program.
This says a lot about Apple’s relationship with third-party security researchers. Unfortunately, things haven’t changed much over the years, and this is a constant cause of strains in the relationship between Apple and the people trying to tell it about security issues. During the conference, Apple got booed several times by the audience following reports from OBTS speakers of mismanaged bug reports and patches.
What is it that Apple has been accused of doing? There have been multiple offenses, unfortunately. First, a number of security researchers have reported getting significantly lower bug bounties from Apple’s bug bounty program than they should have earned. For example, Cedric Owens (@cedowens) discovered a bug in macOS that would allow an attacker to access sensitive information. Apple’s bug bounty program states that such bugs are worth up to $100,000. They paid Cedric $5,000, quibbling over the definition of “sensitive data.” (For the record: Cedric’s bug absolutely gave access to what any security researcher or IT admin would consider sensitive data… more on this later.)
Other researchers have reported similar issues, with significantly reduced payments for bugs that should have qualified for more. Further, there is often a significant wait for the bounties to be paid, after the bugs have been fixed—sometimes six months or more. Apple also had a tendency to “go silent,” not responding to researchers appropriately during the process of handling bug reports, and has repeatedly failed to properly credit researchers, or even mention important bugs, in its release notes.
Previously:
- iOS Vulnerabilities Either Unfixed or Uncredited
- Zero-click iMessage Attacks
- Security Researchers Unhappy With Apple’s Bug Bounty Program
- iOS Zero-day to Steal Authentication Cookies
- Apple vs. Security Researchers