Last month security researcher Denis Tokarev, aka illusionofchaos, shared his experience of reporting three zero-day iOS vulnerabilities to Apple with specific criticism around how the company is slow to respond, act, and didn’t give him credit for one of the three flaws that were patched. Now it appears Apple has fixed another zero-day flaw, this one in iOS 15 that Tokarev found earlier this year, without giving him credit.
In September, Tokarev said that after waiting up to half a year since reporting some of the vulnerabilities to Apple, he decided to go public with the information.
Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI – in 120). I have waited much longer, up to half a year in one case.
At the end of September, Tokarev shared that he got a response from Apple that said they were still working on the “issues” and apologized for the delay.
In his September blog post, Tokarev detailed a gamed zero-day flaw (one of three) that would allow any app installed from the App Store to gain access to personal user data such as Apple ID email and full name, Apple ID auth token, complete file system read access to the Core Duet database, and more.
Now Tokarev says Apple has patched the gamed zero-day he discovered in the iOS 15.0.2 security update without crediting him (via BleepingComputer).
After the first zero-day flaw Tokarev discovered and reported to Apple and he wasn’t credited when it was fixed in iOS 14.7 (July 19), the company told him:
“Due to a processing issue, your credit will be included on the security advisories in an upcoming update. We apologize for the inconvenience.”
After the second was patched in iOS 15.0.2 with credit to “an anonymous researcher,” Tokarev said Apple did respond to him in six hours, but apparently didn’t have a way to fix the problem of properly citing him. Meanwhile, Apple still hasn’t responded to the analyticsd zero-day he found that was patched in iOS 14.7.
Tokarev was asked to keep the latest emails from Apple confidential and he has followed that request at this time.