Apple overhauled its security bounty program back in 2019 by making it open to anyone, increasing payouts, and more. However, the program has seen a good amount of criticism from the infosec community. Now another security researcher has shared their experience claiming that Apple didn’t give them credit for one zero-day flaw they reported which was fixed and that there are three more zero-day vulnerabilities in iOS 15.
Update 9/27: After sharing his experience publicly, Apple has responded to security researcher illusionofchaos, aka Denis Tokarev.
Reported by Motherboard, here’s what Apple officially responded with, per Tokarev:
“We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you,” an Apple employee wrote. “We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions.”
Motherboard verified the email from Apple to Tokarev as legitimate by confirming it came from a server owned by Apple. Motherboard also asked for more feedback from those in the infosec community:
“While I’m glad Apple appears to be taking this particular situation more seriously now, it comes across as more of a reaction to bad press than anything else,” Nicholas Ptacek, a researcher who works for SecureMac, a cybersecurity company that focuses on Apple computers.
Meanwhile, another cybersecurity veteran said:
But the way Apple handled this whole process, given that its bug bounty program is more than five years old, “is not normal and should be considered normal,” according to Katie Moussouris, a cybersecurity expert who essentially invented the concept of bug bounties more than 10 years ago while she was at Microsoft.
Security researcher illusionofchaos shared his experience in a blog post including the claim that Apple has known about and is ignoring three zero-day vulnerabilities since March and they are in iOS 15.
I want to share my frustrating experience participating in Apple Security Bounty program. I’ve reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.
illusionofchaos says he asked Apple again for an explanation including that he would make his research public – in line with responsible disclosure guidelines – and Apple didn’t respond.
Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI – in 120). I have waited much longer, up to half a year in one case.
illusionofchaos shared details on the three other zero-day vulnerabilities that he found which include the “Gamed 0-day,” “Nehelper Enumerate Installed Apps 0-day,” and “Nehelper Wifi Info 0-day” including proof of concept source code.
Here’s an overview of each one:
Any app installed from the App Store may access the following data without any prompt from the user:
- Apple ID email and full name associated with it
- Apple ID authentication token which allows to access at least one of the endpoints on *.apple.com on behalf of the user
- Complete file system read access to the Core Duet database (contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user’s interaction with these contacts (including timestamps and statistics), also some attachments (like URLs and texts)
- Complete file system read access to the Speed Dial database and the Address Book database including contact pictures and other metadata like creation and modification dates (I’ve just checked on iOS 15 and this one inaccessible, so that one must have been quietly fixed recently)
The vulnerably allows any user-installed app to determine whether any app is installed on the device given its bundle ID.
XPC endpoint com.apple.nehelper
accepts user-supplied parameter sdk-version
, and if its value is less than or equal to 524288, com.apple.developer.networking.wifi-info
entiltlement check is skipped. Ths makes it possible for any qualifying app (e.g. posessing location access authorization) to gain access to Wifi information without the required entitlement. This happens in -[NEHelperWiFiInfoManager checkIfEntitled:]
in /usr/libexec/nehelper
.
Two perspectives
Stepping back to look at the big picture, Apple has said its bug bounty program is a “runaway success” while the infosec community has shared a variety of specific criticisms and concerns about the program. These include claims that Apple has not responded or not responded promptly and also that Apple has not paid for flaws discovered that meet the bounty programs guidelines.
Notably, earlier this month we learned that Apple hired a new leader for its security bounty program with the goal of “reforming it.”
Author: Michael Potuck
Source: 9TO5Google