[ad_1]
Apple revamped its safety bonus program in 2019 by making it open to everyone, increasing payments, and more. However, the program has been the subject of much criticism from the infosec community. Now, another security researcher has shared his experience claiming that Apple did not give them credit for a zero-day flaw they reported that was fixed and that there are three other zero-day vulnerabilities in iOS 15.
Update 9/27: After sharing their experience publicly, Apple responded to security researcher illusionofchaos, aka Denis Tokarev.
Reported by Motherboard, here’s what Apple officially responded with, by Tokarev:
“We have seen your blog post regarding this issue and your other reports. We apologize for the delay in responding to you, ”wrote an Apple employee. “We want to let you know that we are still investigating these issues and how we can resolve them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your help. Please let us know if you have any questions.
Motherboard verified that Apple’s email to Tokarev was legitimate by confirming that it was from an Apple-owned server. Motherboard also requested more feedback from members of the infosec community:
“While I’m glad Apple seems to be taking this particular situation more seriously now, it sounds more like a reaction to bad press than anything else,” Nicholas Ptacek, a researcher who works for SecureMac, a cybersecurity that focuses on Apple computers.
Meanwhile, another cybersecurity veteran said:
But the way Apple has handled this whole process, given that its bug bounty program is over five years old, “is not normal and should be considered normal,” according to Katie Moussouris, a cybersecurity expert. who basically invented the concept of bug bounty. than 10 years ago when she was at Microsoft.
Security researcher illusionofchaos shared his experience in a blog post, including the claim that Apple is aware of and ignores three zero-day vulnerabilities since March and that they are in iOS 15.
I want to share my frustrating experience by participating in the Apple Security Bounty program. I reported four 0-day vulnerabilities this year between March 10 and May 4, so far three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it and not list it on the security content page. When I confronted them, they apologized, assured me it was due to a processing issue, and promised to list it on the security content page for the next update. There have been three releases since then and they’ve broken their promise every time.
illusionofchaos says it again asked Apple for an explanation, including that it would make its research public – in accordance with responsible disclosure guidelines – and Apple has not responded.
Ten days ago, I asked for an explanation and warned that I would make my research public if I did not receive an explanation. My request was ignored so I do what I said I would do. My actions comply with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities within 90 days of reporting them to vendor, ZDI – within 120). I waited a lot longer, up to six months in one case.
illusionofchaos shared details of the other three zero-day vulnerabilities it found, including “Gamed 0-day”, “Nehelper Enumerate Installed Apps 0-day” and “Nehelper Wifi Info 0-day”, including code source of the proof of concept.
Here’s a look at each:
Played 0-day
Any application installed from the App Store can access the following data without any user prompt:
- Apple ID email address and associated full name
- Apple ID authentication token that provides access to at least one of the endpoints on * .apple.com on behalf of the user
- Full read access to the Core Duet database file system (contains a contact list from Mail, SMS, iMessage, third-party messaging apps, and metadata about all user interactions with those contacts (including timestamps and statistics), as well as some attachments (like URLs and texts)
- Full read access to the Speed Dial database file system and address book database, including contact photos and other metadata like creation and modification dates (i just checked on iOS 15 and this one inaccessible, so one must have been quietly fixed recently)
Nehelper List 0-day installed applications
The vulnerability allows any user-installed application to determine whether an application is installed on the device based on its bundle ID.
Nehelper Wifi Info 0-day
XPC endpoint com.apple.nehelper accepts user-supplied parameter sdk-version, and if its value is less than or equal to 524288, com.apple.developer.networking.wifi-inforights control is ignored. This allows any eligible application (for example, with location access permission) to access Wi-Fi information without the required right. It happens in -[NEHelperWiFiInfoManager checkIfEntitled:] in /usr/libexec/nehelper.
Two points of view
Stepping back to look at the bigger picture, Apple said its bug bounty program was a “runaway success” as the infosec community shared a variety of specific criticisms and concerns about the program. These include the allegations that Apple did not respond or did not respond promptly and also that Apple did not pay for the defects discovered which meet the guidelines of the bounty programs.
Notably, earlier this month we learned that Apple has hired a new leader for its safety bonus program in an attempt to “reform” it.
FTC: We use automatic affiliate links which generate income. Following.
Check out 9to5Mac on YouTube for more Apple news:
[ad_2]
Source link