Apple's Security Bounty Program was opened to the public in 2019. It offers payouts of up to $1,000,000 to researchers who share security vulnerabilities on iOS, iPadOS and macOS with Apple. This includes the methods used to exploit them. This program was created to ensure that Apple's software platforms are as secure as possible.
Since then, reports have emerged indicating that security researchers are dissatisfied with the program. A security researcher using the pseudonym illusionofchaos has now shared his similarly "frustrating" experience.
Kosta Eleftheriou highlighted the blog post by an unnamed security researcher who claimed they had reported four zero-day flaws to Apple in March and May. However, they stated that three of these vulnerabilities were still present in iOS 15 while the other was fixed in iOS 14.7. Apple did not give them credit.
Let me share with you my frustrations in the Apple Security Bounty Program. Between March 10th and May 4th, I reported four 0-day vulnerabilities. Three of them remain in iOS 15.0 and one has been fixed in iOS 14.7. However, Apple chose to not include it on its security content page and covered it up. They apologized and assured me that it was due to a processing problem. I promised to include it on the security content page for the next update. They have broken their promises with each of the three subsequent releases.
According to the person, Apple was warned last week by them that their research would be made public if they don't get a response. They claimed that Apple refused to respond, which led them to disclose the vulnerabilities publicly.
One of the zero day vulnerabilities is Game Center. It allegedly allows any App installed from the App store to access user data.
- Apple ID email with full name and associated URL. - Apple ID authentication token that allows the user to access at most one of the *.apple.com endpoints. - Full file system access to Core Duet database. This database contains a list from Mail, SMS and iMessage as well as metadata about each user's interactions with them (including timestamps, statistics, and attachments) - Access to Speed Dial and Address Book databases, including contact pictures, and other metadata such creation and modification dates and modification dates.
In the blog post, you will also find details about the two other zero-day vulnerabilities in iOS 15 and the one that was fixed in iOS 14.7.
You can click through to view the Game Center exploit. It's not easy. With a working security program, things like this shouldn't be allowed to slip by. It's a commonplace with Apple. This is so broken that it doesn't matter if anything changes. How can it be done? Marco Arment (@marcoarment) September 24, 2021
Apple has yet to comment on the blog post. If Apple responds, we'll update the story.