Researcher drops three iOS zero-days that Apple refused to fix

This article came across my radar

Proof-of-concept exploit code for three iOS zero-day vulnerabilities (and a fourth one patched in July) was published on GitHub after Apple delayed patching and failed to credit the researcher.

The unknown researcher who found the four zero-days reported them to Apple between March 10 and May 4. However, the company silently patched one of them in July with the release of 14.7 without giving credit in the security advisory.

“When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update,” the researcher said earlier today. “There were three releases since then and they broke their promise each time.”

1 Like

Huge privacy and security ramifications.
It’s disappointing Apple drug their feet and didn’t honor the bounty for such discoveries.
Now researchers have less incentive to find these vulnerabilities.

1 Like

Obviously not good, but these are data reading bugs that require an app to be installed and to pass review. The typical user doesn’t install any or many apps outside of the majors (FB, Instagram, etc.) so wouldn’t be at risk.

That said, the reputation of the bounty program is harmed by incidents like this, reducing a researcher’s expected value of participation in the program which makes responsible disclosures of more serious bugs less likely.

It’s very hard to run an effective bug bounty program in a functional, secretive organization with a heavily product-driven culture. It takes years to set it up and build the right internal relations and influences to prioritize meticulous and reactionary engineering that has little user-visible benefit. The relative security early on of iOS meant they didn’t have to start taking this long process seriously until much later than Google and Facebook, and they’re paying for it now in reputation as they catch up.

I agree with most of what you said, but we’ve seen a number of apps make it through code review with malicious code.

Apple has well over a $2T market cap. They can afford to devote the right resources to the program.

I’m no expert on iOS security, but I thought the health data mentioned in the article was more difficult for apps to access (special API, Secure Enclave, etc)? Definitely a bad look for Apple…

1 Like

At the researcher’s blog post there is a list of other developers who say they were stiffed or ignored by Apple.

The video of the Lock Screen bypass is interesting, and apparently still present in ios15.

This is absurd! This isn’t a security problem, it’s a business problem. Apple seriously needs to get it together here. There is a market for these types of zero-days that pays much more than $25k.

They’re literally going for the trifecta; don’t fix the issues, don’t respond to the people who report this issues, and then don’t pay after they have responded. Extremely disappointing…

Apple must do better at this. They can afford it, they been stingy and stupid and it will eventually cause them problems if they don’t correct course. No excuse. They must do better.

1 Like

My guess is that Facebook or one of the companies they bought (for example Instagram) would be the first to abuse this…