Apple silently fixed a “played” zero-day vulnerability with the release of iOS 15.0.2 on Monday, a security flaw that could allow attackers to access sensitive user information.
The company fixed the bug without acknowledging or crediting the software developer Denis Tokarev for discovery even though he reported the flaw seven months before iOS 15.0.2 was released.
Failure to credit bug reports
In July, Apple also silently fixed a zero-day ‘analyticsd’ flaw with the release of 14.7 without crediting Tokarev in the security advisory, instead promising to acknowledge its report in the security advisories for an upcoming update.
Since then, Apple has issued several security advisories (iOS 14.7.1, iOS 14.8, iOS 15.0, and iOS 15.0.1) addressing iOS vulnerabilities, but each time they have not credited its analytical bug report.
“Due to a processing issue, your credit will be included in the Field Safety Advisories in a future update. We apologize for the inconvenience,” Apple told him when asked why the bug list iOS security patch did not include its zero-day.
Two days ago, after the release of iOS 15.0.2, Tokarev again sent an email about the lack of credit for gaming and analytics vulnerabilities in security advisories. Apple responded, asking it to treat the content of their email exchange as confidential.
Wouldn’t be the first time Apple’s security team has asked for privacy: the first time happened in august when told that day zero would be fixed in a future security update and urged not to publicly disclose the bug.
“All things considered, they handle game vulnerability a bit better than analytics, at least they don’t ignore me and lie to me this time around,” Tokarev told TechToSee.
It appears that they do not have a separate protocol for dealing with reports that have already been leaked. And if that post contains a legitimate excuse, they could save a tiny bit of reputation by making it public. But that’s up to them to decide, I won’t release the full message until I get the credit. 2/3 pic.twitter.com/iG6waUELtk
– Denis Tokarev (@ illusionofcha0s) October 13, 2021
Other bug hunters and security researchers have also reported having had similar experiences when reporting vulnerabilities to Apple’s Product Security team through the Apple Security Bounty program.
Some said the bugs reported to Apple were silently resolved with the company not giving them any credit, as happened in this case.
There are two zero days left to patch (in silence)
In total, Tokarev found four iOS zero days and reported them to Apple between March 10 and May 4. played zero-day in July.
If attackers succeeded in exploiting the four vulnerabilities on unpatched iOS devices (i.e. iPhones and iPads), they could gain access to Apple ID emails, full names, tokens from Apple ID authentication, information about installed apps, WiFi information, and scan logs (including medical and device information).
The full list of iOS zero-days reported by Tokarev includes:
Gamed 0-day (fixed in iOS 15.0.2): Bug exploitable via user-installed applications from the App Store and giving unauthorized access to sensitive data normally protected by a TCC prompt or the sandbox of the platform ($ 100,000 on the Apple Security Bounty program page)
Nehelper Enumerate Installed Apps 0-day (iOS 15.0): Allows any user-installed app to determine if an app is installed on the device based on its bundle ID.
Nehelper Wifi Info 0-day (iOS 15.0): Allows any eligible application (for example, with location access permission) to access Wifi information without the required right.
Analyticsd (fixed in iOS 14.7): Allows any user-installed app to access analytics logs.
“We have seen your blog post regarding this issue and your other reports. We apologize for the delay in responding to you,” Apple told Tokarev 24 hours after the zero days and exploit code posted on its blog .
“We want to let you know that we are still investigating these issues and how we can resolve them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your help.”
Apple also fixed a second zero-day vulnerability in iOS 15.0.2 and iPadOS 15.0.2, actively exploited in the wild to target iPhones and iPads.
This bug, identified as CVE-2021-30883, is a critical memory corruption flaw in IOMobileFrameBuffer, allowing malicious applications to execute commands on vulnerable devices with kernel privileges.
Apple has not responded to emails sent by TechToSee since September 24, requesting an official statement and more details.
- Researcher abandons three days zero iOS that Apple refused to fix
- Exploit code released for three days iOS 0 that Apple failed to fix
- Researcher discloses three iOS zero-days, still usable in iOS 15, criticizes Apple for ignoring them
- Apple fixes iOS zero day used to deploy iPhone NSO spyware
- Apple iOS 15.0.2 Emergency Update Fixes Zero Day Used In Attacks