Three iOS zero-day vulnerabilities revealed by researcher frustrated with Apple’s bug bounty program

On Thursday, a security researcher frustrated with Apple’s Security Bounty program who goes by the pseudonym “illusionofchaos” revealed three zero-day vulnerabilities in Apple’s iOS operating system.

bits

Jim Salter for Ars Technica:

Illusionofchaos says [Apple] chose to cover up an earlier-reported bug without giving them credit.

This researcher is by no means the first to publicly express their frustration with Apple over its security bounty program.

It appears that their frustration largely comes from how Apple handled that first, now-fixed bug in analyticsd.

This now-fixed vulnerability allowed arbitrary user-installed apps to access iOS’s analytics data—the stuff that can be found in Settings –> Privacy –> Analytics & Improvements –> Analytics Data — without any permissions granted by the user. illusionofchaos found this particularly disturbing, because this data includes medical data harvested by Apple Watch, such as heart rate, irregular heart rhythm, atrial fibrillation detection, and so forth.

Analytics data was available to any application, even if the user disabled the iOS Share Analytics setting.

According to illusionofchaos, they sent Apple the first detailed report of this bug on April 29. Although Apple responded the next day, it did not respond to illusionofchaos again until June 3, when it said it planned to address the issue in iOS 14.7. On July 19, Apple did indeed fix the bug with iOS 14.7, but the security content list for iOS 14.7 acknowledged neither the researcher nor the vulnerability…

Illusionofchaos says the new disclosures still adhere to responsible guidelines: “Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI – in 120. I have waited much longer, up to half a year in one case.”

MacDailyNews Take: One might conclude that a company that claimed to respect user privacy might look to cover up a flaw that allowed medical data harvested by Apple Watch to be available to any application.

That’s a big privacy debacle, even prior to Apple announcing their misguided scheme to build in backdoor surveillance into every iPhone, iPad, and Mac — using the Think of the Children™ trojan horse, no less — a hypocritical disloyalty to users, especially after years of claiming to respect and protect user privacy.

So, what’s the 2021 goal of Apple’s so-called “leadership,” exactly? To be known as a garbage company like Google, Facebook, Microsoft, etc.? If so, you’re doing an excellent job so far, Cook et al. Award yourselves another 10,000 RSUs each!

(Note to Apple’s misguided and/or compromised management: No, we’re not stopping. Do the right thing for a change.)

Much more, including information about the three iOS zero-day exploits revealed by the researcher, in the full article here.

Please help support MacDailyNews. Click or tap here to support our independent tech blog. Thank you!

5 Comments

  1. If true, it’s this exact kind of stuff that foretells of a great company’s demise. All have faults, but disguising and denying them is a sign of ill-health and, or dearth of integrity.

    This is a new Apple…if true. This is Cook’s Apple.

  2. This does not foretell the downfall of Apple. Apple is better off than the rest, because they fix their problems faster..

    I wish people would stop blaming Cook every time a developer trips on his shoe laces. Cook is the conductor of the orchestra, a delegator par excellence; he doesn’t play any of the instruments. Without Cook, it would be a cacophonous mess.

    Apple has battalions of developers working on a colossus of code, which is so complex that there are bound to be mistakes here and there.

    I used to work for a small software-development company that made web software for the USMC. Not anywhere near as complex as MacOS. The developers were assigned portions of the product and submitted their code to the repository at the end of each day. Overnight, the repository compiled and ran the code, and sent bug reports to the appropriate developers. Even so, the business analysts couldn’t always identify all the internal use cases and there were bugs that even the testers didn’t detect. One time when I was documenting code, I discovered that the login routine indeed checked to see if the password met the complexity test, but entering no password at all let the user in. The designers, the automated system, and the testers completely missed it.

    Back in the days when operating systems were simple enough to have a single developer and a single tester, one could expect perfect code. Early operating systems didn’t even have to support email. Now that we have operating systems that can keep track of appointments, fetch email, cook breakfast, and track satellites, it is impossible to find all the mistakes.

    Bugs are the price we pay for complex software. No matter who develops it.

    1. While there is no doubt that MacOS and IOS are complicated OS’s, if a researcher sends Apple documented serious or relatively serious privacy or security issues and they chose to ignore them, overlooking, sit on, or whatever fixing them for a seemingly lengthy time, that is a problem.

      And it Cooks problem, as noted by many his social justice antics seem to take more prevalence then running Apple.. You can probably find more stories of that, then what he’s done for Apple, and this of course can go way beyond Apple, its a serious problem for many tech companies.. they focus on the social and then their companies decline or wind up targets of expensive investigations.

      Apple is still on Job’s auto-pilot. But I think thats about to run out of gas.. One wonders how much money Apple has lost because of people not buying because of the way Cook has been running the company as SJW instead of CEO.

      Sure, for the moment, things still look pretty good, but it doesn’t take long to come apart.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.