[TheRecord] Researcher dumps three iOS zero-days after Apple failed to fix issues for months

A security researcher has published on Thursday details about three iOS zero-day vulnerabilities, claiming that Apple has failed to patch the issues, which they first reported to the company earlier this year.

Going by the pseudonym of Illusion of Chaos, the researcher has published their findings on Russian blogging platform Habr and has released proof-of-concept code for each vulnerability on GitHub.

This includes:

A vulnerability in the Gamed daemon that can grant access to user data such as AppleID emails, names, auth token, and grant file system access. PoC here.

A vulnerability in the nehelper daemon that can be used from within an app to learn what other apps are installed on a device. PoC here.

An additional vulnerability in the nehelper daemon can also be used from within an app to gain access to a device’s WiFi information. PoC here.

The researcher said the vulnerabilities are still exploitable in iOS 15, released earlier this week.

The researcher also published proof of concept code for a fourth issue, affecting the iOS Analyticsd daemon. This was also part of the initial four bugs he reported to Apple in April but was the only issue patched by the OS maker in iOS 14.7 in July.

An Apple spokesperson did not return a request for comment, but several security researchers told The Record that Apple might not have prioritized the three issues as they could not lead to “code execution.”

I want to share my frustrating experience participating in Apple Security Bounty program. I’ve reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.

Illusion of Chaos on Habr

The researcher cited similar experiences from other researchers, all of which reported issues to Apple’s bug bounty program, only to be ignored, have bug bounties reduced and payments delayed for their work [1234].

#infosec #bugbounty #bughunter
Apple bug bounty porgram is like a joke.After 3 months of the fix and their thoughly “invesgate”,my 0-click heap buffer overflow gets non paid without a reliable exploit.Well done,apple.
Maybe next time I will public their vuln before it get fixed. pic.twitter.com/ngo940dimb

— 5n1p3r0010 (@5n1p3r0010) May 20, 2021

With today’s fixes, I have 17(!!) cases with Apple, where the reward wasn’t even decided in the Apple Security Bounty program. Some of these pending since the release of Big Sur 11.0.1. #apple #asb

— Csaba Fitzl (@theevilbit) July 21, 2021

Researchers who are naive enough to submit bugs to Apple bug bounty should start demanding interest on the payments. They are losing investment opportunities and good returns on that money 😂😂😂😂😂
Say no to Apple bug bounty 🖕

— fG! (@osxreverser) July 21, 2021

Illusion of Chaos actions come after another researcher, disheartened with Apple’s bug bounty program, also decided to release an iOS lock screen bypass on the iOS 15 launch day, on Monday.

Washington Post article published two weeks ago contained similar accusations from other researchers about how the company’s security team was leaving bug reports unsolved for months, shipping incomplete fixes, low-balling monetary rewards, or banning researchers from their program when they complained.

The post Researcher dumps three iOS zero-days after Apple failed to fix issues for months appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Microsoft Exec: Targeting of Americans’ Records ‘Routine’

All posts, Security Week

Federal law enforcement agencies secretly seek the data of Microsoft customers thousands of times a year, according to congressional testimony Wednesday by a senior executive at the technology company. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[ZDNet] May ransomware blight all the cyber stragglers and let God sort them out

All posts, ZDNet

After decades of cyber wake-up calls, maybe the time has come for cyber Darwinism to provoke survival of the cyber fittest — although we could also follow new policy recommendations. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ZDNet] A deep dive into the operations of the LockBit ransomware group

All posts, ZDNet

Most victims are from the enterprise and are expected to pay an average ransom of $85,000. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.