Exploit code released for three iOS 0-days that Apple failed to patch

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,246
41,414
Proof-of-concept exploit code for three iOS zero-day vulnerabilities (and a fourth one patched in July) was published on GitHub after Apple delayed patching and failed to credit the researcher.

The unknown researcher who found the four zero-days reported them to Apple between March 10 and May 4. However, the company silently patched one of them in July with the release of 14.7 without giving credit in the security advisory.

"When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update," the researcher said earlier today. "There were three releases since then and they broke their promise each time."

"Due to a processing issue, your credit will be included on the security advisories in an upcoming update. We apologize for the inconvenience," Apple told him when asked why the list of fixed iOS security bugs didn't include his zero-day.

Since then, all attempts made to get an explanation for Apple's failure to fix the rest of these unpatched vulnerabilities and for their refusal to credit them were ignored.
"All this information is being collected by Apple for unknown purposes, which is quite disturbing, especially the fact that medical information is being collected," the researcher said, referring to the analyticsd zero-day silently patched in iOS 14.7.

"That's why it's very hypocritical of Apple to claim that they deeply care about privacy. All this data was being collected and available to an attacker even if 'Share analytics' was turned off in settings.

"My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI - in 120). I have waited much longer, up to half a year in one case," the researched added.

Other security researchers and bug bounty hunters have also gone through a similar experience when reporting vulnerabilities to Apple's product security team via the Apple Security Bounty Program.
 

jetman

Level 9
Verified
Jun 6, 2017
406
1,453
I hope Apple trawl the dark web looking for exploits for sale. If a company like NSO group is selling things like the Pegasus spyware, there's a good chance it acquired the exploits in some sort of online auction. And if NSO can pay for these things then I am pretty certain Apple can. Apple also need to pay their bug-bounty finders the market rate and treat them well to keep them happy. We can be certain that if flaws exist, the security services of the American, European, Chinese and Russian states know about them already and are probably exploiting them in secret.
 

CyberTech

Level 36
Verified
Nov 10, 2017
2,546
17,235
In 2019, Apple opened its Security Bounty Program to the public, offering payouts up to $1 million to researchers who share critical iOS, iPadOS, macOS, tvOS, or watchOS security vulnerabilities with Apple, including the techniques used to exploit them. The program is designed to help Apple keep its software platforms as safe as possible.

In the time since, reports have surfaced indicating that some security researchers are unhappy with the program, and now a security researcher who uses the pseudonym "illusionofchaos" has shared their similarly "frustrating experience."

In a blog post highlighted by Kosta Eleftheriou, the unnamed security researcher said they reported four zero-day vulnerabilities to Apple between March and May of this year, but they said that three of the vulnerabilities are still present in iOS 15 and that one was fixed in iOS 14.7 without Apple giving them any credit.

I want to share my frustrating experience participating in Apple Security Bounty program. I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page.

When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update.

There were three releases since then and they broke their promise each time.
The person said that, last week, they warned Apple that they would make their research public if they didn't receive a response. However, they said Apple ignored the request, leading them to publicly disclose the vulnerabilities.

One of the zero-day vulnerabilities relates to Game Center and allegedly allows any app installed from the App Store to access some user data:
- Apple ID email and full name associated with it

- Apple ID authentication token which allows to access at least one of the endpoints on *.apple.com on behalf of the user

- Complete file system read access to the Core Duet database (contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user's interaction with these contacts (including timestamps and statistics), also some attachments (like URLs and texts)

- Complete file system read access to the Speed Dial database and the Address Book database including contact pictures and other metadata like creation and modification dates (I've just checked on iOS 15 and this one inaccessible, so that one must have been quietly fixed recently)
The other two zero-day vulnerabilities that are apparently still present in iOS 15, as well as the one patched in iOS 14.7, are also detailed in the blog post.
 

robboman

Level 1
Jul 11, 2018
28
145
The person said that, last week, they warned Apple that they would make their research public if they didn't receive a response. However, they said Apple ignored the request, leading them to publicly disclose the vulnerabilities.

That is a threat and constitutes blackmail. This kind of behavior is reprehensible. If I ever discovered that one of my people did this I would fire them immediately, even if they were doing the bug bounty on their own personal time off the clock.

My personal experience with quite a few researchers is that a significant number are obnoxious with bad attitudes. As if people owe them something.
The exploits are reported to the company developing the software, and this company then has a certain amount of time to fix this exploit and push a update out. After this period the company or individuals are allowed to release the details of the exploit they found, whether a fix has been released or not. This is a standard practice. The blame her should fall on Apple, not acting on the information they have been giving and endangering their users.
 

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,246
41,414
The exploits are reported to the company developing the software, and this company then has a certain amount of time to fix this exploit and push a update out. After this period the company or individuals are allowed to release the details of the exploit they found, whether a fix has been released or not. This is a standard practice. The blame her should fall on Apple, not acting on the information they have been giving and endangering their users.
While that is correct, I don't like this trend (started by Google's Project zero?) of publishing the details of the exploit whether a fix has been released or not.
Especially when there is still no fix.
 
Last edited:

CyberTech

Level 36
Verified
Nov 10, 2017
2,546
17,235
Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after he said that Apple had ignored his reports and had failed to fix the issues for several months.

Tokarev today told Motherboard that Apple got in touch after he went public with his complaints and after they saw significant media attention. In an email, Apple apologized for the contact delay and said that it is "still investigating" the issues.

"We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you," an Apple employee wrote. "We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions."

Apple did fix one of the vulnerabilities in iOS 14.7, but did not provide Tokarev with credit. Three others remain unaddressed, including a Game Center bug that allegedly allows any app installed from the App Store to access full Apple ID email and name, ‌Apple ID‌ authentication tokens, lists of contacts, and some attachments.

Details on all of the zero-day vulnerabilities have been published publicly by Tokarev, which may prompt Apple to fix them faster.

Tokarev first contacted Apple about these bugs between March 10 and May 4, so Apple has had months to issue patches, but it's worth noting that several security researchers and Tokarev himself have confirmed that the bugs are not highly critical as exploiting them would require a malicious app to first receive ‌App Store‌ approval.

Still, experts have criticized Apple's response and its bug bounty program. Cybersecurity expert Katie Moussouris told Motherboard that Apple's handling of the process is "not normal and should not be considered normal," while researcher Nicholas Ptacek said that Apple's response comes across as a "reaction to bad press."

Earlier this month, The Washington Post interviewed more than two dozen security researchers to expose the flaws in Apple's bug bounty program. Researchers said that Apple is slow to fix bugs and doesn't always pay out what's owed, leading researchers to be unhappy with Apple's program.

At the time, Apple's Head of Security Engineering and Architecture, Ivan Krstić, said that Apple is "planning to introduce new rewards for researchers" to expand participation, and that Apple is working toward offering new and even better research tools.
 

Vitali Ortzi

Level 22
Verified
Dec 12, 2016
1,095
4,029
That poor guy got a DMCA streak for posting apple internal atlas toolbox ip
You can visit it too by replacing “(dot)”with “.”
101(dot)132(dot)96(dot)154

Anyway apple is really with regards to how they have treated security researchers over the years thankfully since there were a lot of times in the past they haven’t fixed a cve correctly
I got the luxury of having a jb
 

Freki123

Level 9
Verified
Aug 10, 2013
405
1,437
The way apple treated researcher they can be glad that researchers still tell them problems and not just sell the 0days. Be a whitehat and be treated like trash really motivates people in the long run :D
 
Top