Controversies and complaints are not something new to Apple’s Bug Security Program. Security researchers blame Apple for its laid-back attitude when it comes to fixing 0-day bugs. This time around, a security researcher reported multiple 0-day vulnerabilities on iOS 15. They were first reported to Apple six months ago, and the company is yet to fix them.
Delay in Fixing Bugs
The security researcher has detailed his experience in a blog post. He reported four 0-day vulnerabilities between March 10 and May 4. However, Apple has fixed only one while the remaining three are present in the latest version of iOS 15. The company apologized and blamed it on a processing issue. Apple promised that the issue would be fixed in forthcoming updates. Despite the assurance, the 0-day vulnerabilities remain unpatched to this date.
Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI – in 120). I have waited much longer, up to half a year in one case.
True to his words, the researcher has made the vulnerabilities public. One of the exploits allows any app installed from the App Store to access data without user permission. In other words, the app can access Apple ID email, Apple ID authentication token, file system read access, Speed Dial database, and address book database.
The next vulnerability allows any user-installed app to check if a particular app is installed on the device by using bundle ID. Advertising agencies could potentially use this particular vulnerability to create a digital fingerprint.
Apple Turns a Blind Eye
This is not the first time security researchers have expressed displeasure at Apple’s Security Bounty program. In July, a researcher “feels robbed” after Apple refused to pay bug bounty. Earlier this month, a report detailed why security researchers are not interested in Apple’s Security bounty program.
It seems like Apple has decided to ignore the problem despite all the complaints and negative experiences. Ivan Krstic, Apple’s head of security engineering, termed the program as a “runaway success.” On the other hand, there is a good chance security researchers could report the bug to a third party. Eventually, the 0-day vulnerabilities are used to build mass surveillance programs like the Pegasus spyware.[via HABR]