Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
54,690
16,867


Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after he said that Apple had ignored his reports and had failed to fix the issues for several months.

iPhone-13-Security.jpg

Tokarev today told Motherboard that Apple got in touch after he went public with his complaints and after they saw significant media attention. In an email, Apple apologized for the contact delay and said that it is "still investigating" the issues.
"We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you," an Apple employee wrote. "We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions."
Apple did fix one of the vulnerabilities in iOS 14.7, but did not provide Tokarev with credit. Three others remain unaddressed, including a Game Center bug that allegedly allows any app installed from the App Store to access full Apple ID email and name, Apple ID authentication tokens, lists of contacts, and some attachments.

Details on all of the zero-day vulnerabilities have been published publicly by Tokarev, which may prompt Apple to fix them faster.

Tokarev first contacted Apple about these bugs between March 10 and May 4, so Apple has had months to issue patches, but it's worth noting that several security researchers and Tokarev himself have confirmed that the bugs are not highly critical as exploiting them would require a malicious app to first receive App Store approval.

Still, experts have criticized Apple's response and its bug bounty program. Cybersecurity expert Katie Moussouris told Motherboard that Apple's handling of the process is "not normal and should not be considered normal," while researcher Nicholas Ptacek said that Apple's response comes across as a "reaction to bad press."

Earlier this month, The Washington Post interviewed more than two dozen security researchers to expose the flaws in Apple's bug bounty program. Researchers said that Apple is slow to fix bugs and doesn't always pay out what's owed, leading researchers to be unhappy with Apple's program.

At the time, Apple's Head of Security Engineering and Architecture, Ivan Krstić, said that Apple is "planning to introduce new rewards for researchers" to expand participation, and that Apple is working toward offering new and even better research tools.

Article Link: Apple Apologizes to Researcher for Ignoring iOS Vulnerabilities, Says It's 'Still Investigating'
 

Realityck

macrumors 68020
Nov 9, 2015
2,441
3,457
Silicon Valley, CA
You forgot developers when it came to the whole ARM DK MacMini deal earlier this year.
In the end Apple loaned the DTK for free to devs they got full reimbursement for that. But against dev feedback to issues/bugs, its sheer luck you get acknowledged unless what you are reporting concerns something they are working on at that time. This having to make it public to get their attention is not helping them, even if it's typical of larger companies.
 

scheinderrob

macrumors regular
May 6, 2021
130
392
apple has one of, if not the worst bounty programs i've ever seen. i wonder how many vulnerabilities are being sold on the dark web because apple is too cheap. and i don't even blame the hackers. finding these takes a lot of time and skill.

i've been out of it for a while now but untethered jailbreaks used to be worth a million. probably more now.
 

centauratlas

macrumors 65816
Jan 29, 2003
1,469
2,554
Florida
In the end Apple loaned the DTK for free to devs they got full reimbursement for that. But against dev feedback to issues/bugs, its sheer luck you get acknowledged unless what you are reporting concerns something they are working on at that time. This having to make it public to get their attention is not helping them, even if it's typical of larger companies.
Precisely. Bugs take months to get attention and then often aren’t fixed.
 

uecker87

macrumors 6502
Oct 9, 2014
361
491
Madison, WI
Glad, Apple was able to catch it and notify.

The investigation is in place so that's good.
In a good place? Not so sure about that. Sounds like they haven't even looked into trying to fix them yet. A developer in the Jailbreak arena saw his post and created a patch for the jailbreak community within a day or two. How ironic.

Apple can't do the same with their resources? Hmm.
 

genovelle

macrumors 65816
May 8, 2008
1,443
1,590
Gotta up your game on security, Apple. Security == Privacy.

I don't have much tolerance for being aware of serious flaws and not acting on them immediately.
Let’s see, bugs they are investigating but don’t have a solution is better that having an open door to flaws like Android that these same security folks clearly don’t hold Google to the same standard. On more than one instance there have been multiple major flaws that went years unpatch and when they were to deep they just stopped support of after two years. Imagine to stink if instead of repairing it they said, instead of 5-6 year of support like normal, we are going to just start over at 2 year right now. Even though most devices are stuck on the old OS
 

Analog Kid

macrumors 603
Mar 4, 2003
6,199
5,710
Let’s see, bugs they are investigating but don’t have a solution is better that having an open door to flaws like Android that these same security folks clearly don’t hold Google to the same standard. On more than one instance there have been multiple major flaws that went years unpatch and when they were to deep they just stopped support of after two years. Imagine to stink if instead of repairing it they said, instead of 5-6 year of support like normal, we are going to just start over at 2 year right now. Even though most devices are stuck on the old OS

This isn't a comparative issue. Apple has been slow to patch these kinds of problems. I don't know how much "investigation" needs to be done, but if there's a exploit waiting to happen then assign the necessary resources to getting it fixed.

I don't care what Google does. If they're doing worse at this, then comparisons only invite complacency.
 

dysamoria

macrumors 65816
Dec 8, 2011
1,181
645
In a good place? Not so sure about that. Sounds like they haven't even looked into trying to fix them yet. A developer in the Jailbreak arena saw his post and created a patch for the jailbreak community within a day or two. How ironic.
You completely misquoted or misread the sentence you’re challenging...

(Edited to correct autocorrect; thanks for pointing it out!)
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.