On Thursday, a security researcher frustrated with Apple’s Security Bounty program who goes by the pseudonym “illusionofchaos” revealed three zero-day vulnerabilities in Apple’s iOS operating system.
Illusionofchaos says [Apple] chose to cover up an earlier-reported bug without giving them credit.
This researcher is by no means the first to publicly express their frustration with Apple over its security bounty program.
It appears that their frustration largely comes from how Apple handled that first, now-fixed bug in analyticsd.
This now-fixed vulnerability allowed arbitrary user-installed apps to access iOS’s analytics data—the stuff that can be found in Settings –> Privacy –> Analytics & Improvements –> Analytics Data — without any permissions granted by the user. illusionofchaos found this particularly disturbing, because this data includes medical data harvested by Apple Watch, such as heart rate, irregular heart rhythm, atrial fibrillation detection, and so forth.
Analytics data was available to any application, even if the user disabled the iOS Share Analytics setting.
According to illusionofchaos, they sent Apple the first detailed report of this bug on April 29. Although Apple responded the next day, it did not respond to illusionofchaos again until June 3, when it said it planned to address the issue in iOS 14.7. On July 19, Apple did indeed fix the bug with iOS 14.7, but the security content list for iOS 14.7 acknowledged neither the researcher nor the vulnerability…
Illusionofchaos says the new disclosures still adhere to responsible guidelines: “Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI – in 120. I have waited much longer, up to half a year in one case.”
MacDailyNews Take: One might conclude that a company that claimed to respect user privacy might look to cover up a flaw that allowed medical data harvested by Apple Watch to be available to any application.
That’s a big privacy debacle, even prior to Apple announcing their misguided scheme to build in backdoor surveillance into every iPhone, iPad, and Mac — using the Think of the Children™ trojan horse, no less — a hypocritical disloyalty to users, especially after years of claiming to respect and protect user privacy.
So, what’s the 2021 goal of Apple’s so-called “leadership,” exactly? To be known as a garbage company like Google, Facebook, Microsoft, etc.? If so, you’re doing an excellent job so far, Cook et al. Award yourselves another 10,000 RSUs each!
(Note to Apple’s misguided and/or compromised management: No, we’re not stopping. Do the right thing for a change.)
Much more, including information about the three iOS zero-day exploits revealed by the researcher, in the full article here.
Please help support MacDailyNews. Click or tap here to support our independent tech blog. Thank you!