In 2019, Apple opened its Security Bounty Program to the public, offering payouts up to $1 million to researchers who share critical iOS, iPadOS, macOS, tvOS, or watchOS security vulnerabilities with Apple, including the techniques used to exploit them. The program is designed to help Apple keep its software platforms as safe as possible.
In the time since, reports have surfaced indicating that some security researchers are unhappy with the program, and now a security researcher who uses the pseudonym "illusionofchaos" has shared their similarly "frustrating experience."
In a blog post highlighted by Kosta Eleftheriou, the unnamed security researcher said they reported four zero-day vulnerabilities to Apple between March and May of this year, but they said that three of the vulnerabilities are still present in iOS 15 and that one was fixed in iOS 14.7 without Apple giving them any credit.
I want to share my frustrating experience participating in Apple Security Bounty program. I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.
The person said that, last week, they warned Apple that they would make their research public if they didn't receive a response. However, they said Apple ignored the request, leading them to publicly disclose the vulnerabilities.
One of the zero-day vulnerabilities relates to Game Center and allegedly allows any app installed from the App Store to access some user data:
- Apple ID email and full name associated with it
- Apple ID authentication token which allows to access at least one of the endpoints on *.apple.com on behalf of the user
- Complete file system read access to the Core Duet database (contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user's interaction with these contacts (including timestamps and statistics), also some attachments (like URLs and texts)
- Complete file system read access to the Speed Dial database and the Address Book database including contact pictures and other metadata like creation and modification dates (I've just checked on iOS 15 and this one inaccessible, so that one must have been quietly fixed recently)
The other two zero-day vulnerabilities that are apparently still present in iOS 15, as well as the one patched in iOS 14.7, are also detailed in the blog post.
Click through to see the Game Center exploit in particular. It’s rough. Things like this should almost never slip through the cracks with a functioning security program. Instead, with Apple, it’s commonplace. That’s so deeply broken, yet nothing changes. What will it take? — Marco Arment (@marcoarment) September 24, 2021
