A researcher has made public the details of three unpatched iOS vulnerabilities after he became frustrated with how Apple runs its bug bounty program.
The researcher, Denis Tokarev (aka illusionofchaos), disclosed his findings last week on the Russian IT blog Habr.
Tokarev claims to have reported four iOS vulnerabilities to Apple between March 10 and May 4, but only one of them was fixed and Apple did not mention it in its release notes.
“When I confronted [Apple], they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time,” the researcher said.
He added, “Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would.”
The researcher’s blog post contains technical details for each of the four security holes he reported, as well as links to proof-of-concept (PoC) exploits hosted on GitHub. He argued that he gave Apple enough time to release patches and pointed to major companies such as Google and ZDI, which typically give vendors 90 and 120 days, respectively, to patch vulnerabilities before disclosing them. “I have waited much longer, up to half a year in one case,” Tokarev said.
The vulnerability that was patched by Apple (with the release of iOS 14.7) can allow a malicious application installed on a device to access information stored by Apple in analytics logs. The researcher said these files can store information about the device and its usage, as well as some health-related data.
The flaws that have yet to be patched — the researcher says they can be exploited on the latest iOS 15 version — allow malicious applications installed on a device to access various types of information. One can be exploited to obtain Wi-Fi information and another can be leveraged to enumerate installed apps.
The most serious of them allows “any app installed from the App Store” to access a wide range of data without prompting the user. Exposed data includes email address, associated name, Apple ID authentication token, and information associated with the victim’s contacts.
Over the weekend, Tokarev updated his blog post to say that Apple had reached out to him. The tech giant allegedly apologized for the delayed response and said it was still investigating the issues and how they can be addressed.
Someone in the jailbreaking community claimed to have fixed all of the unpatched iOS vulnerabilities.
Tokarev is the latest on a long list of security researchers frustrated with Apple’s bug bounty program. Many have complained over the past years about delayed responses and rewards they considered too small.
The tech giant said it paid out $3.7 million last year and several researchers have confirmed receiving significant bug bounties from the company.