Spurned researcher posts trio of iOS zero days
An anonymous bug hunter critical of Apple's handling of reports to its bounty program has released details on three zero-day vulnerabilities in its iOS mobile platform.
Apple is facing criticism of its bug bounty and vulnerability reporting program following the release of three zero-day flaws in iOS.
A researcher operating under the handle "illusionofchaos" wrote in a blog post that they decided to release details on the three flaws after being treated poorly by Apple's vulnerability disclosure program. Specifically, illusionofchaos accused Apple of not properly crediting or listing the flaws on its security content notes.
"When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update," the bug hunter explained. "There were three releases since then and they broke their promise each time."
After having failed to get proper credit from Apple, illusionofchaos decided to simply drop the details on all three in a single public disclosure. Third-party researchers have reviewed the reports and have confirmed that all three are valid security flaws.
The first flaw, dubbed "Gamed 0-day," would potentially enable App Store apps to pull up access to a host of user and device details. This includes user contacts and contact photos, Apple ID usernames and the names of the owners, and the Apple ID authentication token.
The second, described as a "Nehelper Enumerate Installed Apps 0-day," would let user-installed apps check the device to figure out what other apps are running on the device. While this might not be a massive security risk on its own, it is a rather significant breach of privacy.
The third vulnerability is called "Nehelper Wifi Info 0-day" and concerns the way Apple's nehelper component handles, or in this case fails to handle, app entitlement checks.
"This makes it possible for any qualifying app (e.g. posessing [sic] location access authorization) to gain access to Wifi information without the required entitlement," the researcher wrote.
The researcher posted of a fourth vulnerability, which affected analytics logs, that was fixed in iOS version 14.7 -- but Apple did not disclose technical details of the flaw and did not credit illusionofchaos with the discovery.
UPDATE 9/27: A day after publishing the blog post, illusionofchaos said they finally received a response from Apple that said the company is still investigating the vulnerabilities. Apple's response, according to illusionofchaos, also thanked the researcher for reporting the issues and apologized for the delay in responding.
As illusionofchaos pointed out, they are not the first bug bounty hunter to have problems with the way Apple handles reports and gives credit for security finds.
Patrick WardleFounder, Objective-See
Noted Apple security researcher Patrick Wardle, founder of Objective-See, told SearchSecurity that these sorts of issues have been going on for some time.
"The fact that security researchers are so frustrated by Apple's Bug Bounty program that they are giving up on it, turning down (potential) money, to post free bugs online is rather telling," Wardle wrote in an email.
"Personally, I've had to reach out on multiple occasions to ask why Apple had failed to credit my bugs/research," he wrote. "Though it was always remedied (i.e. the security notes were updated and a CVE assigned), it was annoying and frustrating, and definitely made me question Apple's commitment to security in the context of interacting with the external research community."