[TheRecord] Researcher dumps three iOS zero-days after Apple failed to fix issues for months

A security researcher has published on Thursday details about three iOS zero-day vulnerabilities, claiming that Apple has failed to patch the issues, which they first reported to the company earlier this year.

Going by the pseudonym of Illusion of Chaos, the researcher has published their findings on Russian blogging platform Habr and has released proof-of-concept code for each vulnerability on GitHub.

This includes:

A vulnerability in the Gamed daemon that can grant access to user data such as AppleID emails, names, auth token, and grant file system access. PoC here.

A vulnerability in the nehelper daemon that can be used from within an app to learn what other apps are installed on a device. PoC here.

An additional vulnerability in the nehelper daemon can also be used from within an app to gain access to a device’s WiFi information. PoC here.

The researcher said the vulnerabilities are still exploitable in iOS 15, released earlier this week.

The researcher also published proof of concept code for a fourth issue, affecting the iOS Analyticsd daemon. This was also part of the initial four bugs he reported to Apple in April but was the only issue patched by the OS maker in iOS 14.7 in July.

An Apple spokesperson did not return a request for comment, but several security researchers told The Record that Apple might not have prioritized the three issues as they could not lead to “code execution.”

I want to share my frustrating experience participating in Apple Security Bounty program. I’ve reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.

Illusion of Chaos on Habr

The researcher cited similar experiences from other researchers, all of which reported issues to Apple’s bug bounty program, only to be ignored, have bug bounties reduced and payments delayed for their work [1234].

#infosec #bugbounty #bughunter
Apple bug bounty porgram is like a joke.After 3 months of the fix and their thoughly “invesgate”,my 0-click heap buffer overflow gets non paid without a reliable exploit.Well done,apple.
Maybe next time I will public their vuln before it get fixed. pic.twitter.com/ngo940dimb

— 5n1p3r0010 (@5n1p3r0010) May 20, 2021

With today’s fixes, I have 17(!!) cases with Apple, where the reward wasn’t even decided in the Apple Security Bounty program. Some of these pending since the release of Big Sur 11.0.1. #apple #asb

— Csaba Fitzl (@theevilbit) July 21, 2021

Researchers who are naive enough to submit bugs to Apple bug bounty should start demanding interest on the payments. They are losing investment opportunities and good returns on that money 😂😂😂😂😂
Say no to Apple bug bounty 🖕

— fG! (@osxreverser) July 21, 2021

Illusion of Chaos actions come after another researcher, disheartened with Apple’s bug bounty program, also decided to release an iOS lock screen bypass on the iOS 15 launch day, on Monday.

Washington Post article published two weeks ago contained similar accusations from other researchers about how the company’s security team was leaving bug reports unsolved for months, shipping incomplete fixes, low-balling monetary rewards, or banning researchers from their program when they complained.

The post Researcher dumps three iOS zero-days after Apple failed to fix issues for months appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[TheRecord] State-sponsored hacking group targets Port of Houston using Zoho zero-day

A suspected state-sponsored hacking group has attempted to breach the network of the Port of Houston, one of the largest port authorities in the US, using a zero-day vulnerability in a Zoho user authentication appliance, CISA officials said in a Senate hearing today. Port officials said they successfully defended the attack, and “no operational data or systems […]

Read More

[ZDNet] XSS vulnerability found in popular WYSIWYG website editor

All posts, ZDNet

The security flaw was found in how HTML sanitizing is performed. Source: Read More (Latest topics for ZDNet in Security)

Read More

[TheRecord] STARTTLS implementations in email clients & servers plagued by 40+ vulnerabilities

A group of German academics said they discovered more than 40 security flaws in the implementation of the STARTTLS feature in today’s most popular email clients and email servers. Also known as Opportunistic TLS, STARTTLS refers to a set of protocol extensions used by email clients and servers to upgrade older email protocols like POP3, IMAP, and SMTP […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.