Researcher dumps three iOS zero-days after Apple failed to fix issues for months
Image: blocks on Unsplash
Catalin Cimpanu September 24, 2021

Researcher dumps three iOS zero-days after Apple failed to fix issues for months

Catalin Cimpanu

September 24, 2021

Researcher dumps three iOS zero-days after Apple failed to fix issues for months

A security researcher has published on Thursday details about three iOS zero-day vulnerabilities, claiming that Apple has failed to patch the issues, which they first reported to the company earlier this year.

Going by the pseudonym of Illusion of Chaos, the researcher has published their findings on Russian blogging platform Habr and has released proof-of-concept code for each vulnerability on GitHub.

This includes:

A vulnerability in the Gamed daemon that can grant access to user data such as AppleID emails, names, auth token, and grant file system access. PoC here.

A vulnerability in the nehelper daemon that can be used from within an app to learn what other apps are installed on a device. PoC here.

An additional vulnerability in the nehelper daemon can also be used from within an app to gain access to a device’s WiFi information. PoC here.

The researcher said the vulnerabilities are still exploitable in iOS 15, released earlier this week.

The researcher also published proof of concept code for a fourth issue, affecting the iOS Analyticsd daemon. This was also part of the initial four bugs he reported to Apple in April but was the only issue patched by the OS maker in iOS 14.7 in July.

An Apple spokesperson did not return a request for comment, but several security researchers told The Record that Apple might not have prioritized the three issues as they could not lead to “code execution.”

I want to share my frustrating experience participating in Apple Security Bounty program. I’ve reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.

Illusion of Chaos on Habr

The researcher cited similar experiences from other researchers, all of which reported issues to Apple’s bug bounty program, only to be ignored, have bug bounties reduced and payments delayed for their work [1234].

Illusion of Chaos actions come after another researcher, disheartened with Apple’s bug bounty program, also decided to release an iOS lock screen bypass on the iOS 15 launch day, on Monday.

Washington Post article published two weeks ago contained similar accusations from other researchers about how the company’s security team was leaving bug reports unsolved for months, shipping incomplete fixes, low-balling monetary rewards, or banning researchers from their program when they complained.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.