Apple has been ignoring security flaws, and the bounty hunters who found them

Apple scorned researchers who found security flaws, now responds
Apple has long been touting its openness to feedback when it comes to keeping its cybersecurity protections top-notch, even promoting its long-running bug bounty program—promising great rewards to anyone who brings potential issues to light. After all, Apple prides itself with its reputation for placing extreme importance on the safety and cybersecurity of users of its products. 

However, it seems that the Cupertino-based company hasn't always followed through with its promises to bounty hunting security researchers, and has frequently failed to give credit where it's due. 

Not only has Apple not paid out the bounty for various discoveries of flaws fully meeting the bounty program's criteria, but there have been several instances so far where people have come forward with critical information regarding zero-day flaws compromising Apple's cybersecurity, yet have been blatantly ignored, time and time again. 

One of these scorned researchers is Denis Tokarev, who recently brought to Apple's attention three different zero-day flaws in iOS 15. For anyone unfamiliar, as much as it sounds like a spy movie term, a zero-day is simply a software vulnerability which has only just become known, resulting in its developer having "zero days" to fix it upon learning of it. 

Apple played deaf for months, failing to fix multiple vulnerabilities even after informed

Naturally, since iOS 15 was quite recently officially released—on September 20—it could hardly be expected to be one hundred percent perfect right from the start. However, Apple has quite irresponsibly ignored Tokarev's revelations, leaving him completely in the dark over the past month, and failing to repair the vulnerabilities for a whopping six months so far.

Recommended Stories
According to a Vice report, Tokarev disclosed the vulnerabilities to Apple way back in in March and April (as they were also present in iOS 14), but has received no further response or action from Apple since August 25. Sick and tired of waiting, on September 13, Tokarev warned the company that he would go live with all the details if it continued to ignore him.

Apple finally responded to Tokarev after he published the zero-day exploit for all to see

Still he received no answer, and he finally published the details on the zero-day vulnerabilities, including all the necessary source code to easily exploit them and initiate a zero-day attack, should any malicious party so choose, on any iPhone that has upgraded to iOS 15.

Once Tokarev went live with the information, Apple finally decided it was an opportune time to respond. In an e-mail which Motherboard (Vice's tech desk) verified came from Apple's own servers, the company wrote back, apologizing and, by the looks of it, stalling for more time:

"We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you," Apple writes. "We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions."

Such a failure to communicate and take action is far from normal

American cybersecurity expert Katie Moussouris joined the discussion, and expressed her concern that after five years of experience running a bug bounty program, such unprofessional behavior from Apple in this situation was "not normal and should not be considered normal."

"Bug bounties and vulnerability disclosure programs are like a garden," Moussouris continues in her interview with Motherboard. "You actually have to maintain them, you have to weed the garden. You have to get rid of unwanted and unnecessary delays in your process, because they're like weeds, they take up time, they take up resources."

For the record, Moussouris knows what she's talking about, as she was more or less the original inventor of bug bounty programs a decade ago, while she was working at Microsoft.

What do these three vulnerabilities mean?

The three bugs, which have been present in iPhones running iOS 14 and 15 since at least March, go by the names of “Gamed 0-day,” “Nehelper Enumerate Installed Apps 0-day,” and “Nehelper Wifi Info 0-day." As detailed by 9to5Mac, they carry the following risks to iPhone users until they are fixed:

  • Gamed 0-day 

    Gamed 0-day allows any App Store apps unauthorized access to the user's Apple ID email and full name, and list of contacts from 1) Mail, 2) SMS, 3) iMessage, and 4) other 3rd-party messaging apps, along with all the data around your communication with each of these contacts, such as timestamps, interaction statistics, and even some included attachments. All this without any prompts to the user, or permission.

    What's more, until recently, apps could also gain access to the Speed Dial database and Address Book database, along with all metadata associated with them. Apple seems to have taken care of that one recently, though, as 9to5Mac reports that this part of the exploit seems inaccessible at last.

  • Nehelper Enumerate Installed Apps 0-day

This particular exploit could give any downloaded third-party app the ability to look into bundle ID's and figure out whether or not a given app has been installed on your iPhone, should it choose to look for that information.

  • Nehelper Wifi Info 0-day

Nehelper Wifi Info 0-day has the ability to allow any app that has already been granted authorized access to the user's location, to obtain access to details about Wi-Fi networks to which the iPhone has connected, without the user's permission.

That these three vulnerabilities have been made public, Apple has only itself to blame, as Tokarev was left with essentially no other option to spur the company into action. There are no guarantees that malicious actors have not already been exploiting the bugs prior to this without anyone's knowledge, either.

As 9to5Mac has already pointed out, one part of the Gamed 0-day bug has already apparently been patched, and now Apple is definitely pressed for time to take care of the rest immediately, if it wants to avoid much worse problems and scandals in the future.

Recommended Stories

Loading Comments...
FCC OKs Cingular\'s purchase of AT&T Wireless