Apple patches zero-day flaw in iOS 15, but without crediting outspoken researcher

Last month security researcher Denis Tokarev, aka illusionofchaos, shared his experience of reporting three zero-day iOS vulnerabilities to Apple with specific criticism around how the company is slow to respond, act, and didn’t give him credit for one of the three flaws that were patched. Now it appears Apple has fixed another zero-day flaw, this one in iOS 15 that Tokarev found earlier this year, without giving him credit.

In September, Tokarev said that after waiting up to half a year since reporting some of the vulnerabilities to Apple, he decided to go public with the information.

Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI – in 120). I have waited much longer, up to half a year in one case.

At the end of September, Tokarev shared that he got a response from Apple that said they were still working on the “issues” and apologized for the delay.

In his September blog post, Tokarev detailed a gamed zero-day flaw (one of three) that would allow any app installed from the App Store to gain access to personal user data such as Apple ID email and full name, Apple ID auth token, complete file system read access to the Core Duet database, and more.

Now Tokarev says Apple has patched the gamed zero-day he discovered in the iOS 15.0.2 security update without crediting him (via BleepingComputer).

After the first zero-day flaw Tokarev discovered and reported to Apple and he wasn’t credited when it was fixed in iOS 14.7 (July 19), the company told him:

“Due to a processing issue, your credit will be included on the security advisories in an upcoming update. We apologize for the inconvenience.”

After the second was patched in iOS 15.0.2 with credit to “an anonymous researcher,” Tokarev said Apple did respond to him in six hours, but apparently didn’t have a way to fix the problem of properly citing him. Meanwhile, Apple still hasn’t responded to the analyticsd zero-day he found that was patched in iOS 14.7.

Tokarev was asked to keep the latest emails from Apple confidential and he has followed that request at this time.

Check out 9to5Mac on YouTube for more Apple news:

Check out the latest Apple iPhones at great prices from Gizmofashion – our recommended retail partner.

Author: Michael Potuck
Source: 9TO5Google

Related posts

Samsung promises Matter support for SmartThings hubs, Galaxy devices, TVs, and fridges

AI & RoboticsNews

Robotics-powered ‘microfulfillment’ startup Fabric raises $200M


Photoshop Gets a Major Update: AI Selection, Neural Filters, and More


Photoshop’s ‘Content Credentials’ Embeds Attribution Data into Photos

Sign up for our Newsletter and
stay informed!

Share Your Thoughts!

This site uses Akismet to reduce spam. Learn how your comment data is processed.