Apple is facing criticism of its bug bounty and vulnerability reporting program following the release of three zero-day flaws in iOS.
A researcher operating under the handle “illusionofchaos” wrote in a blog post that they decided to release details on the three flaws after being treated poorly by Apple’s vulnerability disclosure program. Specifically, illusionofchaos accused Apple of not properly crediting or listing the flaws on its security content notes.
“When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update,” the bug-hunter explained. “There were three releases since then and they broke their promise each time.”
After having failed to get proper credit from Apple, illusionofchaos decided to simply drop the details on all three in a single public disclosure. Third-party researchers have reviewed the reports and have confirmed that all three are valid security flaws.
The first flaw, dubbed “Gamed 0-day,” would potentially allow App Store apps to pull up access to a host of user and device details. This includes user contacts and contact photos, Apple ID usernames and the names of the owners, and the Apple ID authentication token.
The second of the vulnerabilities, described as a “Nehelper Enumerate Installed Apps 0-day,” would let user-installed apps to check the device to figure out what other apps are running on the device. While this might not be a massive security risk on its own, it is a rather significant breach of privacy.
The third is called “Nehelper Wifi Info 0-day” and concerns the way Apple’s nehelper component handles, or in this case fails to handle, app entitlement checks.
“This makes it possible for any qualifying app (e.g. posessing location access authorization) to gain access to Wifi information without the required entitlement,” the researcher noted.
The researcher posted of a fourth vulnerability, which affected analytics logs, that was fixed in iOS version 14.7 – but Apple did not disclose technical details of the flaw and did not credit illusionofchaos for the discovery.
UPDATE 9/27: A day after publishing the blog post, illusionofchaos said they finally received a response from Apple, which said the company is still investigating the vulnerabilities. Apple’s response, according to illusionofchaos, also thanked the researcher for reporting the issues and apologized for delay in responding.
As illusionofchaos pointed out, they are not the first bug bounty hunters to have problems with the way Apple handles reports and gives credit for security finds.
Noted Apple security researcher Patrick Wardle told SearchSecurity that these sorts of issues have been going on for some time.
“The fact that security researchers are so frustrated by Apple’s Bug Bounty program that they are giving up on it, turning down (potential) money, to post free bugs online is rather telling,” Wardle said in an email.
“Personally, I’ve had to reach out on multiple occasions to ask why Apple had failed to credit my bugs/research. Though it was always remedied (i.e. the security notes were updated and a CVE assigned), it was annoying and frustrating, and definitely made me question Apple’s commitment to security in the context of interacting with the external research community.”