Security Researcher Reveals iOS Security Flaw, Gets Developer License Revoked

[iJanne]

That's what people are supposed to do and actually do.

He actually reported it to Apple several weeks ago. He only apparently went public with his findings when Apple did not address the bug.

Publicizing unfixed security flaws is actually pretty common in the information security world, it is intended to get attention to the problems so that they are fixed instead of ignored.

 

[dethmaShine]

He actually reported it to Apple several weeks ago. He only apparently went public with his findings when Apple did not address the bug.

When? Please source.

Publicizing unfixed security flaws is actually pretty common in the information security world, it is intended to get attention to the problems so that they are fixed instead of ignored.

It is also foolish and illegal considering security of data and the people themselves at risk.

 

[iJanne]

Are you an Apple developer? Bug reporter is very active and issue like this is treated as DEFCON 1. This is a huge bug when exploited is an unbelievably huge security leak. Apple cannot tolerate to have left this for more than a week as well.

The security analyst was an Apple developer and used this bug reporter a lot according to the source article.

 

[Andronicus]

It's one thing to find a security hole and professionally inform Apple, quite another to write an app to exploit it and announce you will tell the works how to do it in a conference in a week...

Charlie is a smart guy who makes some really stupid decisions.

Professional developers disclose issues in iOS to Apple through secure channels all the time without this media madness.

According to the original article he apparently did inform apple and they did not give him a response.

 

[iJanne]

He actually reported it to Apple several weeks ago. He only apparently went public with his findings when Apple did not address the bug.


When? Please source.

Source is the news you are commenting to, the Forbes article is linked in the MacRumors article.

I must correct myself, though, he reported it to Apple on Oct 14. Not Oct 17 as I mistakenly said above.

It is also foolish and illegal considering security of data and the people themselves at risk.

Illegal? Hardly. Publicity is often considered the greatest tool in security and secrecy is just security by obscurity. When the holes are in the open, people know how and have the motivation to fix them. Now it would be completely another thing if he would exploit the bug in practice to reach other people's data - that certainly could and would be illegal.

I know some disagree with the open philosophy (and certainly there are merits for a debate), but this is really a very common point of view in the information security world and e.g. a reason why many consider open-source the securest form of software because it is out in the open for all to see (and thus learn/analyze/fix).

 

[Evangelion]

I guess he should have told apple about it instead of submitting that app

I think the issue is that if he had simply told them about the issue, Apple would jut have told him that "this is not a problem, since we would catch this behavior when checking the app when it's submitted". Now he showed that that is not the case.

 

[usptact]

This is like finding a breach in security system of a bank. Even if I demonstrate it by breaking and robbing some money, that won't stop me to be arrested by police. The stance of Apple is understandable.

 

[iJanne]

I think the issue is that if he had simply told them about the issue, Apple would jut have told him that "this is not a problem, since we would catch this behavior when checking the app when it's submitted". Now he showed that that is not the case.

It seems this resonates somewhat with what happened, with the exception that indeed he did report it to Apple on Oct 14. The flaw has not been addressed so far, but I am pretty sure it will be addressed now...

 

[Evangelion]

Apple should prosecute him for extortion

Doesn't extortion involve demands for money or something? He made no such demands. And he reported the bug to Apple fair and square, with no expectations of reward. Later he submitted a app that exploited the flaw in order to demonstrate the weakness.

And that's extortion.... how?

 

[ChazUK]

https://twitter.com/#!/0xcharlie/status/133739410662494208

For the record, without a real app in the AppStore, people would say Apple wouldn't approve an app that took advantage of this flaw.

That pretty much explains why he submitted the app for approval.

I have no doubt that many would have said this wouldn't have got through if he simply revealed the flaw without submitting an app.

 

[Hurda]

Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; en-gb) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5)

I guess he should have told apple about it instead of submitting that app

I wasn't aware that Google rewarded people for exploiting their security flaws without their consent.

No company or person likes to be exploited. Miller should have revealed the findings instead of trying to take advantage of the flaw.

It's one thing to find a security hole and professionally inform Apple, quite another to write an app to exploit it and announce you will tell the works how to do it in a conference in a week...

Telling Apple about it? Excellent, have a cookie.

Uploading an exploit to a live environment where people can download it? Not cool.

Miller has found and reported dozens of bugs to Apple in the last few years, and had alerted Apple to this latest flaw on October 14th.

http://www.forbes.com/sites/andygre...per-program-for-proof-of-concept-exploit-app/

But you people are absolutely right, he should have kept quiet and sell the exploit on the blackmarket.
What a fool, there are of course no bugs in Apple-products.

----------

It seems this resonates somewhat with what happened, with the exception that indeed he did report it to Apple on Oct 14. The flaw has not been addressed so far, but I am pretty sure it will be addressed now...

When you report the flaw, and nothing happens, you have two options:
1.) Wait till somebody else finds the flaw and REALLY REALLY exploits it - the told-you-so-strategy.
or 2.) DO SOMETHING ABOUT IT.

 

[iJanne]

This is like finding a breach in security system of a bank. Even if I demonstrate it by breaking and robbing some money, that won't stop me to be arrested by police. The stance of Apple is understandable.

That is because breaking and entering, and stealing money even if just for a demo, is actually illegal. I doubt submitting an app with the ability to receive external commands is necessarily anything but a TOS violation, unless you exploit that app to do something. Maybe in this instance it was a stupid thing to do, but also it may have been a really useful thing to do. I think many companies (at instances even Apple) have welcomed security input like this, even though it might be embarrassing.

I'd rather these security holes are found and tried out by the good guys, instead of hearing it after the fact from the bad guys. If Apple had responded in a timely manner to his bug report of Oct 14, they would have stopped this app in its tracks by fixing the flaw that made its use possible.

 

[koruki]

They made a mistake in the article. The guys name is Dan Castellaneta

 

[cal6n]

He actually reported it to Apple several weeks ago. He only apparently went public with his findings when Apple did not address the bug.

<snip>

Source and quote, please.

The security analyst was an Apple developer and used this bug reporter a lot according to the source article.

I've just read the Forbes article twice and I can't find any mention of this.

According to the original article he apparently did inform apple and they did not give him a response.

Perhaps you could quote where this is stated, because I can't find it.

All I can find is that the author of the article, Andy Greenberg, has "reached out to Apple for comment but haven’t yet heard from the company."

*edit* OK, I've found it. There are 2 source articles linked in the original post. Perhaps a mod could make that a bit clearer?

 

[iJanne]

When you report the flaw, and nothing happens, you have two options:
1.) Wait till somebody else finds the flaw and REALLY REALLY exploits it - the told-you-so-strategy.
or 2.) DO SOMETHING ABOUT IT.

Well put.

And it seems this guy, that had his access revoked, actually only spoke to a Forber reported at this point. It is not like he went out there with a how to for hackers. Next week he seems to have the opportunity to teach other security analysts about this at a convention, Apple has plenty of time (and has had weeks) to fix this before the technical details will be outed to a larger audience.

And now users know, so that they can take whatever steps they deem appropriate. Who knows what malicious apps might already be out there using this vulnerability, that someone who did not inform Apple or the public might have also discovered?

 

[swingerofbirch]

Are you an Apple developer? Bug reporter is very active and issue like this is treated as DEFCON 1. This is a huge bug when exploited is an unbelievably huge security leak. Apple cannot tolerate to have left this for more than a week as well.

Plus the guy made an app. Submitted it. Got it accepted and placed in the app store. Probably spent a month just to prove his concept.
Great. That's how you get revoked.

On another note, I'd be surprised if Apple doesn't take a stance against this developer as instead of giving this info to Apple, he decided he would make a video out of it and bring some free media hype and undeniable fame. Cool.

Yes, I am an Apple developer. Also, he was already famous. And he is helping Apple improve. Apple doesn't seem to be good at accepting help. I've tried reporting bugs myself in the past, and they made it almost impossible at every step (you can see my post history for the 'tails).

 

[CFreymarc]

He should invoice Apple a consulting fee for finding the bug. Offer his consulting services to Apple. Bill at $250 / hr, expose that half talent that can't code a dynamic hash table in the iOS security group and profit.

 

[Hurda]

Source and quote, please.

Miller has found and reported dozens of bugs to Apple in the last few years, and had alerted Apple to this latest flaw on October 14th.

http://www.forbes.com/sites/andygre...per-program-for-proof-of-concept-exploit-app/

 

[iJanne]

Source and quote, please.

I've just read the Forbes article twice and I can't find any mention of this.

Perhaps you could quote where this is stated, because I can't find it.

All I can find is that the author of the article, Andy Greenberg, has "reached out to Apple for comment but haven’t yet heard from the company."

http://www.forbes.com/sites/andygre...per-program-for-proof-of-concept-exploit-app/

“I report bugs to them all the time. Being part of the developer program helps me do that. They’re hurting themselves, and making my life harder.”
Apple didn’t immediately respond to my request for comment.

Miller has found and reported dozens of bugs to Apple in the last few years, and had alerted Apple to this latest flaw on October 14th.

As for "Apple addressing the bug", that was my way of saying apparently there has been no bug fix released. If the flaw was already fixed in the latest iOS it would probably be a lesser issue. I do concede I have not verified whether or not it has been fixed, but the first Forbes article does make it seem like it has not - assuming it is correct of course.

http://www.forbes.com/sites/andygre...curity-bug-lets-innocent-looking-apps-go-bad/

The researcher soon dug up a bug that allowed him to expand that code-running exception to any application he’d like. “Apple runs all these checks to make sure only the browser can use the exception,” he says. “But in this one weird little corner case, it’s possible. And then you don’t have to worry about code-signing any more at all.”

Miller won’t say just what that bug is until his talk next week in order to give Apple more time to fix the flaw [which he reported to Apple on Oct 14, quoter note].

 

[bartzilla]

I wasn't aware that Google rewarded people for exploiting their security flaws without their consent.

No company or person likes to be exploited. Miller should have revealed the findings instead of trying to take advantage of the flaw.

Yes, because Apple have such a good history of behaving in a timely manner when security flaws that aren't related to jailbreaking their devices are revealed.

Are you an Apple developer? Bug reporter is very active and issue like this is treated as DEFCON 1.

I wish I could get a job where I could sit on my ass for going on a month when a "DEFCON 1" problem appears.

 

[Lennholm]

Gaah, why can't these hackers just keep quite about these things so that Apple can continue marketing iOS and OS X as completely without security issues...

 

[Winni]

This makes Apple look pretty bad.

What doesn't? Apple's attitude towards developers, open communication and especially criticism can hardly get any worse.

 

[Macist]

Yep. Instead of saying, 'Hey, Apple - I've found a flaw', he goes and grandstands.

Oh well, any marketing is good marketing these days, isn't it?

 

[Hurda]

Yep. Instead of saying, 'Hey, Apple - I've found a flaw', he goes and grandstands.

People really don't read any comments in here and just go straight to "Post reply" to spew off some venom, aren't they?

 

[1239689]

-