Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
54,676
16,850


In 2019, Apple opened its Security Bounty Program to the public, offering payouts up to $1 million to researchers who share critical iOS, iPadOS, macOS, tvOS, or watchOS security vulnerabilities with Apple, including the techniques used to exploit them. The program is designed to help Apple keep its software platforms as safe as possible.

iPhone-13-Security.jpg

In the time since, reports have surfaced indicating that some security researchers are unhappy with the program, and now a security researcher who uses the pseudonym "illusionofchaos" has shared their similarly "frustrating experience."

In a blog post highlighted by Kosta Eleftheriou, the unnamed security researcher said they reported four zero-day vulnerabilities to Apple between March and May of this year, but they said that three of the vulnerabilities are still present in iOS 15 and that one was fixed in iOS 14.7 without Apple giving them any credit.
I want to share my frustrating experience participating in Apple Security Bounty program. I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.
The person said that, last week, they warned Apple that they would make their research public if they didn't receive a response. However, they said Apple ignored the request, leading them to publicly disclose the vulnerabilities.

One of the zero-day vulnerabilities relates to Game Center and allegedly allows any app installed from the App Store to access some user data:
- Apple ID email and full name associated with it

- Apple ID authentication token which allows to access at least one of the endpoints on *.apple.com on behalf of the user

- Complete file system read access to the Core Duet database (contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user's interaction with these contacts (including timestamps and statistics), also some attachments (like URLs and texts)

- Complete file system read access to the Speed Dial database and the Address Book database including contact pictures and other metadata like creation and modification dates (I've just checked on iOS 15 and this one inaccessible, so that one must have been quietly fixed recently)
The other two zero-day vulnerabilities that are apparently still present in iOS 15, as well as the one patched in iOS 14.7, are also detailed in the blog post.

Apple has not yet commented on the blog post. We'll update this story if the company responds.

Article Link: Researcher Says Apple Ignored Three Zero-Day Security Vulnerabilities Still Present in iOS 15
 
Last edited:

DesertDrummer

macrumors regular
Oct 19, 2011
153
551
Phoenix, AZ
It's clear the wheels are coming off the cart under Cook the past few years.

Oh really? Is that "clear"? Are the "wheels coming off the cart"?

Because from my perspective, I see the M1 transition blowing minds. I see Swift turning into a major powerhouse. I see Macs making a major comeback in the marketplace beyond any time in the past 20 years. I see Apple counting stacks.

So which "wheels" are these that you're referring to exactly?
 

Soba

macrumors 6502
May 28, 2003
337
462
Rochester, NY
It seems obvious that Apple's software development process is broken, giving almost everything they release a feeling of being incomplete, unreliable, and unnecessarily rushed. Software will never be perfect, but this kind of problem is an unforced error on Apple's part.

Apple increasingly looks like a company that is more concerned about image and that is trying to cover up shortcomings through marketing rather than using solid engineering techniques to get the product right.

Tim Cook heads the company and he deserves a lot of flak, but I suspect there are major problems at all levels. Perhaps it's time to clean house.
 

turbineseaplane

macrumors G3
Mar 19, 2008
8,923
15,181
It seems obvious that Apple's software development process is broken, giving almost everything they release a feeling of being incomplete, unreliable, and unnecessarily rushed. Software will never be perfect, but this kind of problem is an unforced error on Apple's part.

What's so frustrating about this is that it's an "own goal".

Apple alone has insisted on this pointless constant march towards an "all new***" iOS version every year, when literally nobody wants that.

We all want features added over time when they are ready, sure. But more than that, people want things to get more polished, more optimized, faster, smoother, better, more well thought out.

Almost all of that is eliminated by forcing a full new version every year. The cycle of "fixing bugs" and "ironing out issues" never completes and then just restarts every Fall. It. Sucks.

iOS (and macOS) need to be "running releases" that get worked on and made better for a 3-4 year run before totally new versions.

They've made a treadmill for themselves and they can't keep up.
 

rjohnstone

macrumors 68040
Dec 28, 2007
3,758
4,138
PHX, AZ.
What's so frustrating about this is that it's an "own goal".

Apple alone has insisted on this pointless constant march towards an "all new***" iOS version every year, when literally nobody wants that.

We all want features added over time when they are ready, sure. But more than that, people want things to get more polished, more optimized, faster, smoother, better, more well thought out.

Almost all of that is eliminated by forcing a full new version every year. The cycle of "fixing bugs" and "ironing out issues" never completes and then just restarts every Fall. It. Sucks.

iOS (and macOS) need to be "running releases" that get worked on and made better for a 3-4 year run before totally new versions.

They've made a treadmill for themselves and they can't keep up.
As much as it pains some, ever since Microsoft started taking this approach with Windows 10, it's been getting more reliable. Windows 11 is their first major release in 6 years.
 

goobot

macrumors 603
Jun 26, 2009
6,141
3,385
long island NY
What's so frustrating about this is that it's an "own goal".

Apple alone has insisted on this pointless constant march towards an "all new***" iOS version every year, when literally nobody wants that.

We all want features added over time when they are ready, sure. But more than that, people want things to get more polished, more optimized, faster, smoother, better, more well thought out.

Almost all of that is eliminated by forcing a full new version every year. The cycle of "fixing bugs" and "ironing out issues" never completes and then just restarts every Fall. It. Sucks.

iOS (and macOS) need to be "running releases" that get worked on and made better for a 3-4 year run before totally new versions.

They've made a treadmill for themselves and they can't keep up.
That’s why I wait months after major updates to update the last few years, Apple software quality has hit the drain
 

BobSc

macrumors member
Mar 29, 2020
35
69
Oh really? Is that "clear"? Are the "wheels coming off the cart"?

Because from my perspective, I see the M1 transition blowing minds. I see Swift turning into a major powerhouse. I see Macs making a major comeback in the marketplace beyond any time in the past 20 years. I see Apple counting stacks.

So which "wheels" are these that you're referring to exactly?
The wheels that are coming off aren't the hardware items you mentioned. It's the attitude. I'm been an apple customer since about 1987. I've purchased tens of thousands of dollars of equipment. The wheels started coming off when apple switched to their insane policy of new OS's every year. That's more important to apple than making sure their hardware and software is as bug free as possible. Apple used to have a customer oriented mentality. That's gone. And in fact the wheels are't even on any more. The number of significant bugs in iOS 15 is proof enough. I used to think that apple could do no wrong. I now wonder if they can do much that is right!
 

DontDrinkTheAppleJuice

macrumors newbie
Aug 22, 2021
2
7
As much as it pains some, ever since Microsoft started taking this approach with Windows 10, it's been getting more reliable. Windows 11 is their first major release in 6 years.
Now only if hardware OEMs would stop trying to follow behind Apple with sh*t hardware design choices and make better hardware. Windows is reliable, these hardware OEMs aren’t.
 

mannyvel

macrumors 65816
Mar 16, 2019
1,021
1,709
Hillsboro, OR
Security researchers are so obnoxious. "If they took security seriously these vulnerabilities would never happen."

Uh duh, the only software that doesn't have with security bugs are the ones that don't ship.

All these guys need to be slapped with a wet fish until they understand that ANSI-1 level security is not something that 99% of the people care about.
 

Shreducator

macrumors regular
Oct 17, 2020
105
161
The Apple cult always puts on horse blinders and pretends Apple always has perfect solutions to this. If Israel has Pegasus then you better believe other governments have their versions as well. You can’t disprove that Apple works with governments. They had no problem handing the encryption keys for the Chinese servers over to the CCP.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.