Last month, a cyber security researcher and developer Denis Tokarev went public with three zero-day exploits he discovered in iOS 15 after Apple failed to acknowledge his work and patch the highlighted vulnerabilities. However, Apple fixed one of three active vulnerabilities in iOS 15.0.2 update but did not credit Tokarev, and this is not the first time.
Previously, Tokarev reported four zero-day vulnerabilities to the company as part of its Security Bounty program. In the iOS 14.7 update, as well, Apple patched an analyticsd exploit found by Tokarev without giving him credit. After the researcher went public, the company apologized for the delayed response, superficially.
When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.
Apple quietly fixes a zero-day exploit
On GitHub Tokarev detailed how any app downloaded devices running iOS 15 can access users’ Apple ID email and full name associated with it, ID authentication token, and much more. He also mentions that the bounty for finding such a bug is $100,000 but it is unclear whether he was rewarded or not.
On the Apple Security Bounty Program page this vulnerabilty is evaluated at $100,000 (Broad app access to sensitive data normally protected by a TCC prompt or the platform sandbox. “Sensitive data” access includes gaining a broad access (i.e., the full database) from Contacts).
Like last time, the frustrated researcher is being given the silent treatment by the company.
Seems that they don't have a separate protocol on handling reports which were already disclosed. And if this message contains a legit excuse, they could save a tiny bit of reputation by making it public. But it's up to them, I won't disclose full message until I get credit. 2/3 pic.twitter.com/iG6waUELtk
— Denis Tokarev (@illusionofcha0s) October 13, 2021
Furthermore, on the issue of zero-day exploits, the other two iOS 15 vulnerabilities found by the researcher are still unpatched.
- Nehelper enumerate installed apps 0-day: The vulnerability allows any user-installed app to determine whether any app is installed on the device given its bundle ID.
- Nehelper Wifi Info 0-day: XPC endpoint
com.apple.nehelperaccepts user-supplied parameter
sdk-version, and if its value is less than or equal to 524288,
com.apple.developer.networking.wifi-infoentiltlement check is skipped. Ths makes it possible for any qualifying app (e.g. posessing location access authorization) to gain access to Wifi information without the required entitlement.