Sep 27, 2021 12:30:00

Security researchers announce three zero-day vulnerabilities in iOS 15 because 'Apple's bug rewards program isn't working.'

As part of its security efforts, Apple is rolling out a bug-rewarding program called

Apple Security Bounty, which pays security researchers who discover and share bugs. However, there have been many criticisms of the program, and cases such as 'the vulnerability has been left unfixed ' and 'the bounty has been unreasonably reduced' have been reported. Following these cases, security researcher illusionofchaos, who discovered four zero-day vulnerabilities in iOS, has severely criticized Apple's bug reward program.

Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program / Habr
https://habr.com/en/post/579714/

Exploit code for three iOS 15 zero-day flaws published • The Register
https://www.theregister.com/2021/09/24/apple_zeroday/

Illusionofchaos said that he discovered and reported four zero-day vulnerabilities related to iOS in about two months from March 10th to May 4th, 2021. By the latest version of iOS 15.0 at the time of writing, he said, only one of the reported zero-day vulnerabilities had been fixed, leaving the other three zero-day vulnerabilities untouched. It is said that it has become.

One of the zero-day vulnerabilities reported by illusionofchaos has been fixed in iOS 14.7, while the others have been left untouched. Therefore, illusionofchaos asked Apple for an explanation and warned that if there was no answer, it would publish a zero-day vulnerability. The warning was ignored by Apple, so he wrote that he 'decided to publish details of the zero-day vulnerability.' In addition, illusionofchaos claims that his actions are compliant with Google Project Zero, Google's bug reward program.

Of the four zero-day vulnerabilities discovered by illusionofchaos, the following three have been left unattended at the time of writing the article. In addition, illusionofchaos has compiled information on three zero-day vulnerabilities and published it on GitHub.

◆ Zero-day vulnerabilities related to games
Among the apps installed from the App Store,

those that use Game Center are zero-day vulnerabilities that allow users to access device data without prompting.

GitHub --illusionofchaos / ios-gamed-0day
https://github.com/illusionofchaos/ios-gamed-0day

By using this vulnerability, the following data can be accessed.

・ Email address associated with Apple ID and name
An Apple ID authentication token that allows users to access at least one of the endpoints on apple.com
· Full file system read access to the Core Duet database (email, SMS, iMessage, contact information registered with third-party messaging apps, metadata about messages exchanged with contacts (timestamps and statistics) Includes), includes some attachments (URL), etc.)
· Full file system read access to speed dial database and contacts (including metadata stored in contacts such as photos, creation date, modification date, etc.)

◆ Zero-day vulnerability related to Nehelper
A zero-day vulnerability in which a user-installed app can identify other apps installed on the device by specifying an arbitrary ID.

GitHub --illusionofchaos / ios-nehelper-enum-apps-0day
https://github.com/illusionofchaos/ios-nehelper-enum-apps-0day

◆ Zero-day vulnerability related to Nehelper Wi-Fi
A zero-day vulnerability that allows apps that meet certain conditions to access Wi-Fi information without the user's permission.

GitHub --illusionofchaos / ios-nehelper-wifi-info-0day
https://github.com/illusionofchaos/ios-nehelper-wifi-info-0day

The zero-day vulnerability reported by illusionofchaos and fixed in iOS 14.7 makes all apps accessible to analytics logs. The analysis log stores information such as medical information, menstrual cycle, device usage information, screen time information for apps with arbitrary IDs, device accessory information, and the language of the web page that the user displayed in Safari. ..

Regarding the zero-day vulnerability published by illusionofchaos, Patrick Wardle, the founder of Objective-See and a security researcher himself, said, 'The bug (reported by illusionofchaos) works well, but is widely exploited. It's unlikely. In the first place, apps that attempt to exploit these zero-day vulnerabilities must first be distributed on the App Store with Apple's approval. ' I'm skeptical about the appearance of. On the other hand, Wardle said, 'What I find more problematic is that Apple is releasing iOS with known bugs as it is,' he said, leaving iOS with known zero-day vulnerabilities. It criticizes Apple's response to continued updates.

Wardle went on to understand that security researchers were dissatisfied with Apple's bug rewards program: 'Apple has enough resources to fix bugs and vulnerabilities reported by security researchers. But obviously bug fixes don't seem to be a priority for Apple, 'he said, reiterating Apple's response.