KEEP IN TOUCH
Subscribe to our mailing list to get free tips on Data Protection and Cybersecurity updates weekly!
 
															



 
								
Apple has silently fixed a ‘gamed’ zero-day vulnerability with the release of iOS 15.0.2, on Monday, a security flaw that could let attackers gain access to sensitive user information.
The company addressed the bug without acknowledging or crediting software developer Denis Tokarev for the discovery even though he reported the flaw seven months before iOS 15.0.2 was released.
In July, Apple also silently patched an ‘analyticsd’ zero-day flaw with the release of 14.7 without crediting Tokarev in the security advisory, instead promising to acknowledge his report in security advisories for an upcoming update.
Since then, Apple published multiple security advisories (iOS 14.7.1, iOS 14.8, iOS 15.0, and iOS 15.0.1) addressing iOS vulnerabilities but, each time, they failed to credit his analyticsd bug report.
Also Read: Top 8 Main PDPA Obligations To Boost And Secure Your Business
“Due to a processing issue, your credit will be included on the security advisories in an upcoming update. We apologize for the inconvenience,” Apple told him when asked why the list of fixed iOS security bugs didn’t include his zero-day.
Two days ago, after iOS 15.0.2 was released, Tokarev emailed again about the lack of credit for the gamed and analyticsd flaws in the security advisories. Apple replied, asking him to treat the contents of their email exchange as confidential.
This wouldn’t be the first time Apple’s security team asked for confidentiality: the first time happened in August when he was told the gamed zero-day would be fixed in a future security update and urged not to disclose the bug publicly.
“All things considered, they treat gamed vulnerability a bit better that analyticsd, at least they don’t ignore me and lie to me this time,” Tokarev told BleepingComputer.
Other bug bounty hunters and security researchers have also reported having similar experiences when reporting vulnerabilities to Apple’s product security team via the Apple Security Bounty Program.
Some said bugs reported to Apple were silently fixed, with the company failing to give them credit, just as it happened in this case.
Others weren’t paid the amount listed on Apple’s official bounty page [1, 2] or haven’t received any payment at all, while some have been kept in the dark for months on end with no replies to their emails.
In total, Tokarev found four iOS zero-days and reported them to Apple between March 10 and May 4. In September, he published proof-of-concept exploit code and details on all iOS vulnerabilities after the company failed to credit him after patching the gamed zero-day in July.
Also Read: 5 Tips In Using Assessment Tools To A Successful Businesses
If attackers would successfully exploit the four vulnerabilities on unpatched iOS devices (i.e., iPhones and iPads), they could gain access and harvest Apple ID emails, full names, Apple ID authentication tokens, installed apps info, WiFi info, and analytics logs (including medical and device information).
The complete list of iOS zero-days reported by Tokarev includes:
“We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you,” Apple told Tokarev 24 hours after publishing the zero-days and the exploit code on his blog.
“We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance.”
Apple has also fixed a second zero-day vulnerability in iOS 15.0.2 and iPadOS 15.0.2, actively exploited in the wild to target iPhones and iPads.
This bug, tracked as CVE-2021-30883, is a critical memory corruption flaw in the IOMobileFrameBuffer, allowing malicious applications to execute commands on vulnerable devices with kernel privileges.
Apple has not replied to emails BleepingComputer sent since September 24, asking for an official statement and more details.