Researcher dumps three iOS zero-days after Apple failed to fix issues for months


A security researcher has published on Thursday details about three iOS zero-day vulnerabilities, claiming that Apple has failed to patch the issues, which they first reported to the company earlier this year.

Going by the pseudonym of Illusion of Chaos, the researcher has published their findings on Russian blogging platform Habr and has released proof-of-concept code for each vulnerability on GitHub.

This includes:

A vulnerability in the Gamed daemon that can grant access to user data such as AppleID emails, names, auth token, and grant file system access. PoC here.

A vulnerability in the nehelper daemon that can be used from within an app to learn what other apps are installed on a device. PoC here.

An additional vulnerability in the nehelper daemon can also be used from within an app to gain access to a device’s WiFi information. PoC here.

The researcher said the vulnerabilities are still exploitable in iOS 15, released earlier this week.

The researcher also published proof of concept code for a fourth issue, affecting the iOS Analyticsd daemon. This was also part of the initial four bugs he reported to Apple in April but was the only issue patched by the OS maker in iOS 14.7 in July.

An Apple spokesperson did not return a request for comment, but several security researchers told The Record that Apple might not have prioritized the three issues as they could not lead to “code execution.”

I want to share my frustrating experience participating in Apple Security Bounty program. I’ve reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.

Illusion of Chaos on Habr

The researcher cited similar experiences from other researchers, all of which reported issues to Apple’s bug bounty program, only to be ignored, have bug bounties reduced and payments delayed for their work [1234].

#infosec #bugbounty #bughunter
Apple bug bounty porgram is like a joke.After 3 months of the fix and their thoughly "invesgate",my 0-click heap buffer overflow gets non paid without a reliable exploit.Well done,apple.
Maybe next time I will public their vuln before it get fixed.

— 5n1p3r0010 (@5n1p3r0010) May 20, 2021

With today's fixes, I have 17(!!) cases with Apple, where the reward wasn't even decided in the Apple Security Bounty program. Some of these pending since the release of Big Sur 11.0.1. #apple #asb

— Csaba Fitzl (@theevilbit) July 21, 2021

Researchers who are naive enough to submit bugs to Apple bug bounty should start demanding interest on the payments. They are losing investment opportunities and good returns on that money
Say no to Apple bug bounty

— fG! (@osxreverser) July 21, 2021

Illusion of Chaos actions come after another researcher, disheartened with Apple’s bug bounty program, also decided to release an iOS lock screen bypass on the iOS 15 launch day, on Monday.

Washington Post article published two weeks ago contained similar accusations from other researchers about how the company’s security team was leaving bug reports unsolved for months, shipping incomplete fixes, low-balling monetary rewards, or banning researchers from their program when they complained.

The post Researcher dumps three iOS zero-days after Apple failed to fix issues for months appeared first on The Record by Recorded Future.

Article Link: Researcher dumps three iOS zero-days after Apple failed to fix issues for months - The Record by Recorded Future