Apple overhauled its security bounty program back in 2019 by making it open to anyone, increasing payouts, and more. However, the program has seen a good amount of criticism from the infosec community. Now another security researcher has shared their experience claiming that Apple didn’t give them credit for one zero-day flaw they reported which was fixed and that there are three more zero-day vulnerabilites in iOS 15.
Security researcher illusionofchaos shared their experience in a blog post including the claim that Apple has known about and is ignoring three zero-day vulnerabilities since March and they are in iOS 15.
I want to share my frustrating experience participating in Apple Security Bounty program. I’ve reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.
illusionofchaos says they asked Apple again for an explanation including that they would make their research public – in line with responsible disclosure guidelines – and Apple didn’t respond.
Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI – in 120). I have waited much longer, up to half a year in one case.
illusionofchaos shared details on the three other zero-day vulnerabilities that they found which include the “Gamed 0-day,” “Nehelper Enumerate Installed Apps 0-day,” and “Nehelper Wifi Info 0-day” including proof of concept source code.
Here’s an overview of each one:
Any app installed from the App Store may access the following data without any prompt from the user:
- Apple ID email and full name associated with it
- Apple ID authentication token which allows to access at least one of the endpoints on *.apple.com on behalf of the user
- Complete file system read access to the Core Duet database (contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user’s interaction with these contacts (including timestamps and statistics), also some attachments (like URLs and texts)
- Complete file system read access to the Speed Dial database and the Address Book database including contact pictures and other metadata like creation and modification dates (I’ve just checked on iOS 15 and this one inaccessible, so that one must have been quietly fixed recently)
Nehelper Enumerate Installed Apps 0-day
The vulnerably allows any user-installed app to determine whether any app is installed on the device given its bundle ID.
Nehelper Wifi Info 0-day
com.apple.nehelper accepts user-supplied parameter
sdk-version, and if its value is less than or equal to 524288,
com.apple.developer.networking.wifi-infoentiltlement check is skipped. Ths makes it possible for any qualifying app (e.g. posessing location access authorization) to gain access to Wifi information without the required entitlement. This happens in
-[NEHelperWiFiInfoManager checkIfEntitled:] in
Stepping back to look at the big picture, Apple has said its bug bounty program is a “runaway success” while the infosec community has shared a variety of specific criticisms and concerns about the program. These include claims that Apple has not responded or not responded promptly and also that Apple has not paid for flaws discovered that meet the bounty programs guidelines.
Notably, earlier this month we learned that Apple hired a new leader for its security bounty program with the goal of “reforming it.”