{"id":49819,"date":"2025-10-28T14:39:55","date_gmt":"2025-10-28T18:39:55","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=49819"},"modified":"2026-01-05T15:49:25","modified_gmt":"2026-01-05T20:49:25","slug":"airtrafficdevice-ignored-reluctantly-fixed-no-cve-no-bounty","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/10\/28\/airtrafficdevice-ignored-reluctantly-fixed-no-cve-no-bounty\/","title":{"rendered":"AirTrafficDevice: Ignored, Reluctantly Fixed, No CVE, No Bounty"},"content":{"rendered":"<p><a href=\"https:\/\/paradisefacade.com\/blog\/2025\/10\/28\/airtrafficdevice-ignored-reluctantly-fixed-no-cve-no-bounty-a-story-of-a-serious-privacy-leak-in-ios\">Rosyna Keller<\/a>:<\/p>\n<blockquote cite=\"https:\/\/paradisefacade.com\/blog\/2025\/10\/28\/airtrafficdevice-ignored-reluctantly-fixed-no-cve-no-bounty-a-story-of-a-serious-privacy-leak-in-ios\"><p>I wholly and utterly believe in the principle behind Apple&rsquo;s <a href=\"https:\/\/developer.apple.com\/documentation\/apptrackingtransparency\">App Tracking Transparency<\/a> initiative. I therefore consider anything that is both <\/p><ul><li><p>uniquely tied to a user and<\/p><\/li><li><p>available when &ldquo;Allow Apps to Request to Track&ldquo; is disabled to be a gross violation of the spirit of App Tracking Transparency.<\/p><\/li><\/ul><p>[&#8230;]<\/p><p>While Apple has <a href=\"https:\/\/support.apple.com\/en-us\/125108\">fixed 3-4 (search for my name)<\/a> of the 21 privacy bugs (and one kernel panic) I reported, Apple decided they weren&rsquo;t eligible for the bug bounty.<\/p><p>[&#8230;]<\/p><p>When I first reported <em>OE11020806152810, <\/em>it was almost immediately closed as &ldquo;Not to be fixed&rdquo;. I had to gently poke a few bears to get it back to &ldquo;we&rsquo;ll fix this.&rdquo;<\/p><p>However, Apple never assigned a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Common_Vulnerabilities_and_Exposures#CVE_identifiers\">CVE<\/a> while reluctantly fixing this serious bug\/privacy leak.<\/p><\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2025\/10\/24\/europe-vs-app-tracking-transparency\/\">Europe vs. App Tracking Transparency<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2025\/10\/20\/meta-allegedly-bypassed-app-tracking-transparency\/\">Meta Allegedly Bypassed App Tracking Transparency<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2025\/10\/10\/evolution-of-apple-security-bounty-program\/\">Evolution of Apple Security Bounty Program<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/05\/14\/no-bounty-for-kernel-vulnerability\/\">No Bounty for Kernel Vulnerability<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/09\/09\/security-researchers-unhappy-with-apples-bug-bounty-program\/\">Security Researchers Unhappy With Apple&rsquo;s Bug Bounty Program<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/07\/13\/more-trouble-with-the-apple-security-bounty\/\">More Trouble With the Apple Security Bounty<\/a><\/li>\n<\/ul>\n\n<p id=\"airtrafficdevice-ignored-reluctantly-fixed-no-cve-no-bounty-update-2025-11-07\">Update (<a href=\"#airtrafficdevice-ignored-reluctantly-fixed-no-cve-no-bounty-update-2025-11-07\">2025-11-07<\/a>): Another example, from <a href=\"https:\/\/substack.com\/home\/post\/p-165008980\">Joseph Goydish II<\/a>:<\/p>\n<blockquote cite=\"https:\/\/substack.com\/home\/post\/p-165008980\"><p>A critical vulnerability in Apple&rsquo;s iOS activation backend allows for the injection of unauthenticated XML <code>.plist <\/code>payloads during the device setup phase. The flaw permits arbitrary provisioning changes without authentication, signature verification, or error feedback&mdash;exposing devices to pre-activation tampering and persistent configuration manipulation.<\/p><\/blockquote>\n\n<p>He says this had already been <a href=\"https:\/\/cyberpress.org\/apple-ios-activation-vulnerability\/\">actively exploited<\/a> when he reported it to Apple back in May:<\/p>\n\n<blockquote cite=\"https:\/\/cyberpress.org\/apple-ios-activation-vulnerability\/\">\n<p>Forensic analysis on devices freshly reset and activated on iOS 18.5 revealed persistent entries in system caches such as <code>CloudKitAccountInfoCache<\/code> and <code>CommCenter<\/code>, as well as configuration drifts that could not be attributed to any user action.<\/p>\n<\/blockquote>\n\n<p>However, Apple &ldquo;continues to classify it as &lsquo;hypothetical&rsquo; and has not acknowledged the evidence as sufficient to deem it a vulnerability.&rdquo;<\/p>\n\n<blockquote cite=\"https:\/\/cyberpress.org\/apple-ios-activation-vulnerability\/\">\n<p>The lack of remediation leaves iOS devices, including those running the latest stable release, vulnerable to advanced post-exploitation tactics, warranting immediate attention from both Apple and enterprise security teams.<\/p>\n<\/blockquote>\n\n<p>Update (2025-11-07): <a href=\"https:\/\/mastodon.social\/@lapcatsoftware\/115117806088570173\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@lapcatsoftware\/115117806088570173\">\n<p>There&rsquo;s an anonymous GitHub account that just joined a few months ago and this month posted a bunch of fake Apple vulnerabilities with no reproduction steps.<\/p>\n<\/blockquote>\n\n<p id=\"airtrafficdevice-ignored-reluctantly-fixed-no-cve-no-bounty-update-2025-11-25\">Update (<a href=\"#airtrafficdevice-ignored-reluctantly-fixed-no-cve-no-bounty-update-2025-11-25\">2025-11-25<\/a>): <a href=\"https:\/\/mastodon.social\/@rosyna\/115596663147642181\">Rosyna Keller<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@rosyna\/115596663147642181\">\n<p>Some of the privacy leaks I&rsquo;ve reported in iOS have now received &ldquo;Fall 2026&rdquo; tags.<\/p>\n<p>Also, funny, although 3 got CVEs and Apple actually congratulated me for earning a bounty back in September, Apple hasn&rsquo;t sent a dime yet.<\/p>\n<\/blockquote>\n\n<p id=\"airtrafficdevice-ignored-reluctantly-fixed-no-cve-no-bounty-update-2025-12-01\">Update (<a href=\"#airtrafficdevice-ignored-reluctantly-fixed-no-cve-no-bounty-update-2025-12-01\">2025-12-01<\/a>): <a href=\"https:\/\/mastodon.social\/@rosyna\/115622257125216806\">Rosyna Keller<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@rosyna\/115622257125216806\">\n<p>I thought my best chance was with the Apple bounty as they explicitly said, &ldquo;congratulations, you won a bounty&rdquo; back in mid-September. But they won&rsquo;t answer any follow up questions as to where the reward is.<\/p>\n<\/blockquote>\n\n<p id=\"airtrafficdevice-ignored-reluctantly-fixed-no-cve-no-bounty-update-2026-01-05\">Update (<a href=\"#airtrafficdevice-ignored-reluctantly-fixed-no-cve-no-bounty-update-2026-01-05\">2026-01-05<\/a>): <a href=\"https:\/\/x.com\/rosyna\/status\/2008245069070090424\">Rosyna Keller<\/a>:<\/p>\n<blockquote cite=\"https:\/\/x.com\/rosyna\/status\/2008245069070090424\">\n<p>Someone at Apple saw my blogosplat post detailing the problems I&rsquo;ve been having. They expedited the payment of 5 bounties (most $1k bounties) and I received the payment on Dec 31st just after the ball dropped!<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Rosyna Keller: I wholly and utterly believe in the principle behind Apple&rsquo;s App Tracking Transparency initiative. I therefore consider anything that is both uniquely tied to a user andavailable when &ldquo;Allow Apps to Request to Track&ldquo; is disabled to be a gross violation of the spirit of App Tracking Transparency.[&#8230;]While Apple has fixed 3-4 (search [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2025-10-28T18:39:59Z","apple_news_api_id":"15d9fcfd-dc9b-42e1-a846-2e652a2f4603","apple_news_api_modified_at":"2026-01-05T20:49:29Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAABQ==","apple_news_api_share_url":"https:\/\/apple.news\/AFdn8_dybQuGoRi5lKi9GAw","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[2065,2098,31,2586,2741,355,2109,48,251],"class_list":["post-49819","post","type-post","status-publish","format-standard","hentry","category-technology","tag-app-tracking-transparency","tag-apple-security-bounty","tag-ios","tag-ios-18","tag-ios-26","tag-privacy","tag-radar-and-feedback-assistant","tag-security","tag-working"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/49819","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=49819"}],"version-history":[{"count":7,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/49819\/revisions"}],"predecessor-version":[{"id":50618,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/49819\/revisions\/50618"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=49819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=49819"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=49819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}