Recently, a security reward program of up to "1 million U.S. dollars" by Apple has been publicly complained by anonymous security researchers. In the latest blog post, the anonymous person expressed dissatisfaction with Apple's "perfunctory" attitude towards this plan, which caused heated discussions for a while.
It is reported that in 2019, Apple opened its security reward program to the public, offering up to $1 million in bonuses to researchers who share critical security vulnerabilities in iOS, iPad OS, Mac OS, tv OS, or Watch OS with Apple. To improve the security of your own platform.
In the time since, there have been reports that some security researchers were not satisfied with the plan. This Friday, a security researcher with the pen name "illusionofchaos" shared this "frustrating experience".
The original content of the security researcher is as follows:
“I want to share my frustrating experience participating in Apple Security Bounty program. I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.”
In the article, he shared with everyone the "frustrated experience" of participating in the Apple Security Reward Program. As early as March 10th to May 4th of this year, he reported four zero-day vulnerabilities ("zero-day" (zero-day), also known as zero-day attack, refers to malicious exploitation immediately after being discovered. Security vulnerabilities.) Up to now, he found that these three vulnerabilities still exist in the latest iOS 15.0 version (one of which has been fixed in iOS 14.7), but Apple has not listed the bug fixes on its security content page , Directly "quietly" cover up this fact.
When he confronted Apple, Apple apologized to him, said it would deal with these issues, and promised to list them on the next updated security content page.
But since then, Apple has updated its security content page three times, but failed to keep its promises once.
The researcher said that he and his supporters had already issued a final "warning" to Apple last week. If they do not receive a reply from the other party, they will make the research results of these security vulnerabilities public. But it is a pity that Apple directly ignored this request, and this led to the opening of the "Tucao" article that disclosed the vulnerabilities in his official document, which immediately resonated in the industry.
The developer Kosta Eleftheriou also expressed his views on the security researcher's "frustrating experience" in his blog post, emphasizing that "Apple did not give them any trust."
It is understood that one of the zero-day vulnerabilities disclosed by the security researcher "illusionofchaos" is related to the game center, or allows any application installed from the App Store to access the following user data:
1. Apple ID email and its associated full name;
2. Apple ID authentication token (allows on behalf of the user to access at least one endpoint on *.Apple.com);
3. Full file system read access to the core Duet database (including contact lists from mail, SMS, iMessage, and third-party messaging applications, as well as metadata about all user interactions with these contacts (including timestamps and statistics) ), and some attachments (such as URL and text);
4. Full file system read access to Speed Dial database and address book database, including contact pictures and other metadata, such as creation and modification dates (according to inspection, this content is temporarily inaccessible on iOS 15 and seems to have been quietly recently repair).
In addition, he also detailed two other zero-day vulnerabilities that still exist in iOS 15 and the one that was "quietly" patched in iOS 14.7 in a blog post.
At present, this incident has triggered comments from many industry developers and security researchers. Someone commented that, generally speaking, the loopholes in the game center are very "rough", and things like this should hardly be "slid away" when the security program is running normally. But on the contrary, for Apple, this is a "commonplace" thing. It seems that the "rules of the game" have been completely destroyed.
Apple has not yet made any comment on this "crisis" blog post by "illusionofchaos". The researcher said that if Apple responds later, they will update the content of the article.
This site will continue to pay attention to the final direction of this event. If you have any views on this event, please leave a message in the comment area.
Reference link:
https://www.macrumors.com/2021/09/24/ios-15-zero-day-vulnerabilities-report/
ios
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。