Public disclosure follows other grievances about Apple's behavior to reward bugs.
Yesterday, a fictional security researcher revealed three security holes in Apple's iOS mobile operating system. The disclosure of the vulnerability interferes with the researcher's frustration with the Apple Security Bounty program, which, according to illusionofchaos, hides previously reported bugs.
Read more Infosec says Apple's bug bounty program needs work. This researcher is by no means the first to publicly express frustration with Apple about its security rewards program.
Good bug - now Xie h2>
illusionofchaos says four iOS vulnerabilities reported this year - three zero days were publicly disclosed yesterday plus a previous bug they say Apple fixed in iOS 14.7. Their frustration appears to stem in large part from Apple's handling of these first bugs, which are now being addressed in Analytics. In Settings -> Privacy -> Analysis - and Analysis -> Data Analysis - it can be found without any permission from the user. illusionofchaos found this very worrying, as it includes medical data collected by the Apple Watch such as heart rate, arrhythmia, atrial fibrillation diagnosis, and more.
Analytics data is available to any app, even if the user has disabled the iOS Share Analytics settings.
According to illusionofchaos, they sent their first detailed bug report to Apple on April 29th. Although Apple responded the next day, it didn't respond to illusionofchaos again until June. 3, when he announced that he intends to fix this issue in iOS 14.7. On July 19, Apple actually fixed the bug with iOS 14.7, but the iOS 14.7 security content list confirmed neither the researcher nor the vulnerability. It was just a 'Processing issue' and will be properly notified in a 'Future Update'. The vulnerability has not yet been identified in iOS 14.8 on September 13th or iOS 15.0 on September 20th. Then subtract three zeros this week in general. In the words of illusionofchaos: "Ten days ago I asked for an explanation and then warned that if I received no explanation I would announce my investigation. My request was ignored and I will do as I said."
We don't have a set timeline for exposing the Three Day Zero illusion or Apple's response to it - but illusionofchaos says the new discoveries still adhere to responsible guidelines: "Google Project Zero exposes 90 security holes it does just a few days after Report it to the seller, ZDI - at 120. I waited much longer, up to half a year in one case."
New vulnerabilities: Unknown number of combinations, Wi-Fi helps
The illusion of zero has been reduced yesterday, and it can be used by user-installed apps to access data that these apps shouldn't have access to. We've listed them below - along with links to illusionofchaos' Github repos with proof of concept code - in order (in our opinion) their density: Identity Authentication Codes, Read Access to Core Duet Databases, Speed Dial Nehelper Wi-Fi 0-day Shows Wi-Fi data for inaccessible apps. The
0-day Gamed is obviously the most intense, as it exposes PII and may in some cases be able to run on *.apple.com, which is typically done by iOS or generated interactions directly by the user.
Gamed's 0-day read access to Core Duet and Speed Dial databases is very concerning, because this access can be used to achieve beauty. A complete picture of a user's range of interactions with others on an iOS device - who's in their contact list, who they contacted (using third-party apps and apps) and when, and in some cases they joined in sending separate messages.Advertising
Lists Next Wi-Fi Day, where unauthorized access to an iOS device's Wi-Fi information may be used to track a user - or perhaps the credentials needed to access a user's Wi-Fi network learn. Tracking is usually a more serious concern, as physical proximity is generally required for Wi-Fi validation to be useful.
One of the interesting things about 0 days of Wi-Fi is the simplicity of both the flaw and the way it is used: “XPC endpoint com.apple.nehelper's sdk-version parameter provided by and if it is less than or equal to 524288, com will be denied .apple.developer.networking.wifi-info has the right to check.” In other words, all you have to do is claim the software development kit. You are using an old one - in which case your app will skip the check to see if the user is satisfied with the access.
Nehelper seems to have the least damage out of these three days. The software simply allows an app to check if another app is installed on the device by asking for another app's bundle identifier. We didn't terribly use these errors alone, but a hypothetical malware might use such errors to determine if a security or antivirus program is installed and then use that information to better dynamically adapt its behavior to avoid identification. Reveal these weaknesses - it is difficult to blame them for this problem. We wish they included the full timing of their interaction with Apple on all four vulnerabilities, not just a previous issue. It means being restricted to the pseudo-researcher. Since Ars published an article earlier this month about Apple's incompatibility with security rewards, several researchers have contacted us privately with their concerns. In some cases, researchers have shown videos showing that the bug has not yet been fixed. We'll update this story with Apple's response as soon as it arrives.
Three 0 days on iOS showed researcher disappointed with rewarding Apple bugs
At least since 2019, popular YouTube channels have been tak...
Britain's COVID Pass card system was suspended for hours o...
Several Visible Wireless subscribers reported having their accounts ...
This is the story of the mastermind behind one of the largest "fake news" op...
Twitch's live video streaming service has been hacked and 125GB...