As per a report, Apple has not fixed three 0-day vulnerabilities in iOS 15 that were reported to the company between March and May of 2021. The company also failed to credit the security researcher for one reported vulnerability that it fixed in iOS 14.7, which has also been highlighted in the report.
Three zero-day exploits in iOS 15 are now public
The report, as published by the researcher that goes by the name illusionofchaos, shared the frustration that Apple has not closed three out of the four zero-day security vulnerabilities that were shared with Apple, and did not credit the researcher with the fourth one which was fixed in iOS 14.7
I want to share my frustrating experience participating in Apple Security Bounty program. I’ve reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.
The researcher reached out to Apple multiple times but did not get any positive responses. Even their last warning to Apple, in which they stated that they will make the three zero-day flaws public, did not get a response.
The three zero-day vulnerabilities are now available as PoC source code on GitHub. These are the same PoC source codes that were shared with Apple.
In an ironic twist of fate, a jailbreak developer has released fixes for all these three zero-day exploits on Reddit, before Apple could close them. This was done within one day after the researcher disclosed them. This is surprising as jailbreak developers normally use exploits to create their jailbreak tools, while Apple tries to ensure that such exploits are closed asap.
Apple has also replied to the researcher and apologized for the delay in their response. The company said that they are still investigating the issues to see how they can fix them to protect users.
We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you.
We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance.
Please let us know if you have any questions.
2 comments