Apple has revised its program of Security Bounty in 2019 making it open to anyone, increasing payments and more. However, the program has seen a good amount of criticism from the infosec community. Now another security researcher has shared his experience claiming that Apple is ignoring three zero-day vulnerabilities in iOS 15.
Apple accused of ignoring zero-day vulnerabilities in iOS 15
Security researcher illusionofchaos shared his experience in a blog post. According to him Apple is aware of the three zero-day vulnerabilities in iOS 15 since March. The user revealed:
I want to share my frustrating experience by participating in the Apple Security Bounty program. I reported four 0-day vulnerabilities this year between March 10 and May 4. To date, three of them are still present in the latest version of iOS (15.0). One was fixed in 14.7 but Apple decided to cover it and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue, and promised to list it on the next update’s security content page. There have been three releases since then and each time they haven’t kept their promise.
illusionofchaos claims to have asked Apple again for an explanation, including that they would return publish their research – in line with responsible disclosure guidelines. Apple did not answer.
Ten days ago, I asked for an explanation and warned the company that I would go public with my research if I didn’t get a response. My request was ignored, so I’m doing what I promised. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities 90 days after reporting them to vendor, ZDI – in 120). I waited a lot longer, even up to the middle of the year.
illusionofchaos shared i details on the other three zero-day vulnerabilities that he found. They reportedly include the “Gamed 0-day”, “Nehelper Enumerate Installed Apps 0-day” e “Nehelper Wifi Info 0-day”, including proof of concept source code. Below is an overview of the three vulnerabilities.
Any app installed from the App Store can access the following data without any request by the user:
- Apple ID email and full name associated with it;
- Apple ID authentication token that allows access to at least one of the endpoints on * .apple.com on behalf of the user;
- Full access to the Core Duet database (contains a list of contacts from emails, SMS, iMessages, third party messaging apps and metadata on all user interactions with these contacts, including timestamps and statistics), even some attachments (such as URLs and texts);
- Full read access to the Speed Dial database and address book database, including contact pictures and other metadata such as creation and modification dates.
Nehelper Enumerates 0-day installed apps
The vulnerability allows any user-installed app to determine if each app is installed on the device through their own ID bundle.
Nehelper Wifi Info 0-day
The com.apple.nehelper XPC endpoint accepts the sdk-version parameter provided by the user and if its value is less than or equal to 524288, the com.apple.developer.networking.wifi-infoentiltlement control skips. This makes it possible for any qualified app (e.g. with location access permission) to gain access to wi-fi information without the required enabling. This happens in -[NEHelperWiFiInfoManager checkIfEntitled:] in /usr/libexec/nehelper.
Taking a step back to see the big picture, Apple said its bug bounty program is a “runaway success” as the community infosec shared one variety of specific criticisms e concerns on the program.