If a Safari exploit is found, this is a vector to triggering it.
Yes A vector. Now, how many vertices does this vector have?
Purchasing an AirTag -> acquire an Apple ID -> registering the AirTag -> deploying the site/providing the link to the site on the AirTag -> depositing the AirTag in some public location -> hoping someone picks it up -> hoping they know that they can hold their phone to it to obtain how to contact the person who lost it -> hoping they know THAT while at the same time NOT knowing that the information is provided without requiring your own AppleID -> and finally, hoping that they actually enter their information and submit it.
That’s 9 vertices in that vector. No matter how much money a company has, they do not have the luxury of infinite developers. Sounds surprising to a lot of folks here, I know, but true! So, if they have a backlog of far more serious internally reported OR reports from security researchers NOT trying to make a name for themselves on social media, they’re going to prioritize those over this EVERYtime. I know I don’t mind this being left unresolved while some critical bluetooth stack exploit gets resolved.
With all these steps required to perform… ALSO considering the myriad other ways that any enterprising attacker could save time by using any number of known successful ways to get the information from thousands or MILLIONS (instead of, at most, 1 or maybe two for each effort), it’s clear why this is at the bottom of the “fix” pile. There’s a pretty big gap between “What’s possible” and “What an attacker would spend time trying to do.
And finally, a patch could have been issued within hours on this-- it's a phone number, validate that it only includes characters acceptable for a phone number and limit the field length to what's necessary for a phone number. Why isn't Apple more proactive in addressing these kinds of flaws, and why aren't they more receptive to the researchers identifying them as a service to Apple. Are the researchers hoping to get paid? Sure. I hope to get paid for my work too. Nothing wrong with that.
I know VERY few companies that are interested in making any changes to their PRODUCTION environment in hours, especially when the exploit in question requires as much set up as this one does. Perhaps if there was an exploit that required no interaction from the user, but, even in those cases, they’d likely disable the feature while they test the fix to ensure no unexpected ill effects over a day or so.
Regarding them not being paid, well everyone making a living based on
hoping to be paid have made a decision that they
WANT to make a living hoping to be paid. They accept that, sometimes, they make more money in a week than all their friends combined make in a year. Sometimes, their hours and hours of hard work goes unpaid. If this is NOT a situation they prefer or desire, I’m not in a position to tell them how to fix that situation. I AM aware that there ARE positions that pay more reliably on a set schedule and a more reliably set amount, though. And 99% of those, likely more, don’t require waiting for a check from Apple.
What they can do in the interim is make YouTube videos… though, that’s also a business where you’re hoping to be paid…
These forums are full of Chicken Littles on all manner of trivial nonsense but, on matters of security, the response seems far too overly subdued. Security is foundational.
This one (and, really, any exploit that requires user intervention) IS trivial nonsense, though. We can look over the exploits closed at any time in the last year and all of them will stand muster as more serious than this one. I can’t think of one I’d choose to leave open and unpatched in lieu of getting this one fixed.
Those exploits that require no interaction from the user deserve all the ire that the commentariat feels worthy to righteously muster! Well, I mean, the commentariat should feel free to throw their ire in whatever direction suits them, or whatever way the wind is blowing.
If anyone wants to have a “bandwagon effect” where other folks jump on board and join in? Well, an exploit that requires interaction with a fairly rare device (that you’re TRYING to make look like it was lost) in the wild is not likely to be the one that gets legs ta jumpin’!
www.idropnews.com
