3 0-day iOS exploits reported to Apple Security Bounty program but not fixed
Security expert Denis Tokarev has made public his findings surrounding 3 0-day vulnerabilities in iOS that have yet to be fixed even in the latest 15.0 release. This is following through on a promise to do so after not receiving a response from Apple concerning why these exploits weren't addressed.
Sharing his experience alongside the vulnerabilities via a post on the Habr IT specialists blog, Tokarev cites not only accordance with responsible disclosure guidelines, but 11 independent accounts of similarly frustrating experiences with Apple's bounty program. He also links to all of the proof of concept source code repositories that he's hosted on GitHub. The 0-days allow for access to Apple ID information without any user prompts, whether specific apps are installed on a user's device, and apps to gain access to wi-fi information without the required permissions.
Alongside the GitHub repos and process for these exploits to be utilized, timelines were given for each reported 0-day alongside Apple's responses. A fourth exploit that Tokarev reported, named Analyticsd, was fixed in iOS 14.7 but not publicly disclosed by Apple in any of its security contents lists for 14.7 or later.
24 hours following Tokarev's post on Habr, Apple sent him the following response: "We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you.
We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance.
Please let us know if you have any questions."
As of the publishing of this post, Apple has yet to address these vulnerabilities.
Further coverage: Habr
- Free • Proprietary
- Apple Watch
iOS is a mobile operating system developed by Apple Inc. and distributed exclusively for Apple hardware. It is the operating system that powers iPhone, iPod Touch, and formerly iPad.