Security Researcher Reveals iOS Security Flaw, Gets Developer License Revoked

[Hurda]

Like, writing it into an app, actually uploading it to the AppStore, and not telling anyone there's a live exploit being downloaded by users?

Sorry my French, but FFS the app IN THE APPSTORE AND REVIEWED BY APPLE had no _malicious content_ or the exploit itself.

Watch the friggin video, it's explained there.

As it looks right now, the exploit is the smaller news here. The bigger is the seemingly useless app-review.

 

[r.j.s]

Knowing about a bug and finding a way to exploit it are two different pair of shoes.
Also, fixing a bug when you know where the problem is is infinitely faster than finding and fixing a bug without knowing how to exploit or where the bug is to begin with.

I know that a vulnerability does not equal an exploit, exploits take time to develop, and that an exploit may never be discovered for a given vulnerability.

Again, do you really think he told them exactly where it was? It is very likely they are going in blind.

 

[John.B]

He was before this.

Why do so many people who don't know about this guy, his work and what he's done insist on bashing him ? At least take the time to research the guy before you make assumptions about him.

No, previously he was "security researcher famous", now he's "Forbes famous".

I stand by what I said in the rest of my post (that you didn't quote): I suspect this was all adroitly timed to drum up attendance for his talk in Taiwan next week.

 

[Hurda]

Again, do you really think he told them exactly where it was? It is very likely they are going in blind.

Sure.

"Yo, Cook-dawg, 'sup, there's a bug, fix it.
C"

 

[r.j.s]

Sure.

"Yo, Cook-dawg, 'sup, there's a bug, fix it.
C"

Ok, if you want to think of it like that ...

 

[Hurda]

Ok, if you want to think of it like that ...

You really think he hasn't told them specifics about which parts of the MobileSafari/Nitro-code his exploit is working with and under which circumstances, do you? Ha.
I think he does know how to talk with Apple after all the stuff he exploited for Pwn2Own and also the previous iOS-hacks (text messages for up to iOS 3.0).

 

[oliversl]

he got his "15 minutes of fame". Besides that, that developer really created a malware with remote control from his server. Too bad

 

[ladymacintosh]

Sounds like Apple is sore they didn't catch the exploitative app. I'm glad he did this because it will make them more aware and able to protect the integrity of our devices.

 

[skoorbevad]

He found a glaring security hole in a major piece of software, and theorized about how to exploit it. He reported the findings to the company to give them a chance to issue a fix.

With nothing heard, he released the exploit (or, in this case, a demonstration of the exploit).

That's what responsible security analysts do. I bet Apple fixes this now, and it took him breaking their TOS to get them to do it. Good for him.

 

[shartypants]

What a jerk. If you find such a bug, you should contact Apple and let them know so they can fix it, releasing it out to the world is being a jerk.

Edit: After reading more comments, if he did tell Apple, shame on Apple for not addressing it.

 

[The Man]

Each company has their own timetable for fixing exploits. Apple has always been a little slow. But when is Apple acting too late? Maybe Apple was on the point of fixing it, and then suddenly this researcher releases a proof of concept into the wild. Who knows? Security researchers have a great sense of self-importance, not just a need to protect the public. Boring news.

 

[KnightWRX]

No, previously he was "security researcher famous", now he's "Forbes famous".

He's been reported on before.

 

[Rodimus Prime]

No, previously he was "security researcher famous", now he's "Forbes famous".

I stand by what I said in the rest of my post (that you didn't quote): I suspect this was all adroitly timed to drum up attendance for his talk in Taiwan next week.

Guy was already forbes famous. Might want to check your facts first.

 

[Obi-Wan Kubrick]

I can see his point of going through the trouble of getting it approved to indicate how serious of a threat it was but he really should of told them as soon as he noticed it.

 

[qtx43]

... Find, prove, report, wait a few weeks, publish. That's the modus operandi...

...With nothing heard, he released the exploit (or, in this case, a demonstration of the exploit)...

If that was true, then I might agree (although I'd quibble about waiting just a few weeks). But the actual timeline he used was: Find, prove (wait months?), publish, wait 3 weeks, report. If the big thing he had to 'prove' was that he could trick somebody to approve the app, then that's already been done by others. This was infantile, pure and simple. Not that we don't all do silly things sometimes, but I like to think that I realize it upon reflection.

 

[KnightWRX]

If that was true, then I might agree (although I'd quibble about waiting just a few weeks). But the actual timeline he used was: Find, prove (wait months?), publish, wait 3 weeks, report.

He hasn't published yet. He's doing so next week. He reported on Oct 14th.

 

[qtx43]

He hasn't published yet. He's doing so next week. He reported on Oct 14th.

He pusblished the video on Sep 23, making it know that there is a flaw in Nitro (though granted, not the details). And when did he actually find the flaw? How many months was he sitting on this? Nobody knows. Not that he's obligated to do Apple's debugging for them, but if you find something, you should report it.

 

[KnightWRX]

He pusblished the video on Sep 23, making it know that there is a flaw in Nitro (though granted, not the details). And when did he actually find the flaw? How many months was he sitting on this? Nobody knows. Not that he's obligated to do Apple's debugging for them, but if you find something, you should report it.

He hasn't published the details, so it's not like people can replicate the exploit without having to go through all the work in figuring it out.

Publishing would be publicaly disclosing how the exploit works and what the vulnerability actually is.

 

[AdeFowler]

The BBC News homepage lead technology headline reads:

Apple store hit by malicious app

Not great publicity.

 

[r.j.s]

He hasn't published yet. He's doing so next week. He reported on Oct 14th.

And published an app in Sept.

He set himself up to just draw more attention on him. He doesn't care about the actual security of iOS, he just needed a little publicity before his talk this month. Miller is no better than the software makers that publish news of a "new" vulnerability right before a new update to their software. He's a smart guy, but he's nothing more than an attention whore because of the way he handles himself.

Overall, Chuck, douche move.

 

[cal6n]

You're missing the point.

He knew about the vulnerability since March ... he developed an exploit, wrote an app, put it in the app store, kept quiet all the way through the beta process, waited until Apple had released iOS5 to the public and then told Apple that a vulnerability existed. He had 8 months. Apple has had 3 weeks.

<snip>

There, fixed that for you...

 

[alanjfrancis]

Hire him

If Apple have any sense they should consider hiring him. If he can highlight such a loophole in their security he'd be an asset to the company.

 

[KnightWRX]

And published an app in Sept.

Of course, that was part of his proof of concept, proving that the vulnerability could be exploited to download and execute unsigned code and that Apple's application approval process wouldn't catch it.

Once that was done, all that was left was document things to submit to Apple.

You seem to really have a need to point out this was made to get attention. Are you lacking attention yourself ? We got your opinion the first time.

----------

If Apple have any sense they should consider hiring him. If he can highlight such a loophole in their security he'd be an asset to the company.

Again, not the first time this guy has outted vulnerabilities in Apple software. Dunno why this one warrants get hired more than the others. Who knows, he's probably already turned down Apple the first few times they wanted to hire him.

 

[r.j.s]

If Apple have any sense they should consider hiring him. If he can highlight such a loophole in their security he'd be an asset to the company.

He probably wouldn't accept ... he craves the attention and wouldn't get any if he worked for Apple.

He has worked at the NSA before.

----------

We got your opinion the first time.

Apparently not.

 

[qtx43]

He hasn't published the details, so it's not like people can replicate the exploit without having to go through all the work in figuring it out.

Publishing would be publicaly disclosing how the exploit works and what the vulnerability actually is.

They've had 8 months to replicate it, why not? That's what black hat hackers do, that's their modus operandi. It'd be nice if, in a perfect world, Apple had also found the bug long ago, but they didn't. And it would be nice if, given hints, malicious people weren't able to figure things out more easily. I'm not interested in shading the definition of publishing, he published it. Partial publishing is still a publication. And don't tell me that he had to prove that social engineering works by getting it into the App store, everybody knows you can do that. That's just a dodge to divert attention from his irresponsibility. There was an App he controlled in the store which could browse the files of anybody who used it. That's malware and I find your defense of it unconvincing.