An anonymous bug bounty hunter, in a fit of rage, published zero-day exploits for 3 iOS systems (and 7 4th bug patched in April) proof-of-concept POC exploit code.
The anonymous bug bounty hunters who discovered the four zero-day vulnerabilities reported them to Apple between March 10 and May 4. However, Apple quietly patched 1 of them in July, releasing 14.7 without blaming the bug bounty hunters for the achievement in a security bulletin.
“When I confronted them, they apologized to me, assured me that this happened due to a handling issue, and promised to list it on the next update’s secure content page,” the researcher said earlier today. “Three versions have been released since then, each time breaking their promise.”
“Due to a processing issue, your grades will be included in a security bulletin in an upcoming update. We apologize for the inconvenience,” when asked why the list of fixed iOS security vulnerabilities did not include reporting zero Apple told him when the day loopholes came to him.
Since then, while more security advisories have been released for iOS 14.7.1, iOS 14.8, and iOS 15.0, all attempts to explain Apple’s failure to fix these remaining unpatched vulnerabilities and their refusal to believe them are ignored.
An Apple spokesman declined to comment when contacted for more details.
Angry 3 PoC zero-day exploit codes
After Apple declined to respond to a request for clarification, today the bug bounty hunter released proof-of-concept exploit code for all 4 iOS zero-day vulnerabilities he reported on GitHub, as well as a tool that collects sensitive information and displays it in the user interface application:
1. Gamed 0-day (iOS 15.0): Vulnerability can be exploited through user-installed App Store apps to gain unauthorized access to sensitive data typically protected by TCC prompts or platform sandboxes (displayed on Apple’s security bounty program page as $100,000);
Apple ID email and full name associated with it;
Apple ID authentication token that allows access to at least one endpoint on *.apple.com on behalf of the user;
Full filesystem read access to the Core Duet database[包含来自 Mail、SMS、iMessage、第3方消息传递应用程序的联系人列表和有关所有用户与这些联系人交互的元数据（包括时间戳和统计数据），还有一些附件（如URL）和文本]
Full filesystem read access to the speed dial database and address book database, including contact pictures and other metadata like creation and modification dates (just checked on iOS 15, this one is inaccessible, so it must be Apple’s recent Quietly fixed)
2.Nehelper Enumerate Installed Apps 0-day (iOS 15.0): Allows any user-installed app to determine if any app is installed on the device based on its bundle ID.
3.Nehelper Wifi Info 0-day (iOS 15.0): Enables any eligible app (e.g. with location access authorization) to access Wifi info without required permission.
4. Analyticsd (fixed in iOS 14.7): Allows any user-installed app to access analytics logs:
Medical information (heart rate, detected atrial fibrillation count, and irregular heart rhythm events)
Menstrual cycle length, biological gender and age, whether the user recorded sexual activity, cervical mucus quality, etc.
Device usage information (device pickups in different contexts, push notification counts, user actions, etc.)
Screen time information and session counts for all apps with their respective bundle IDs
Information about device accessories and their manufacturer, model, firmware version, and user-specified name
App crashes with bundle id and exception code
The language of the web page the user is viewing in Safari
Vulnerable code confirmed to work on 15.0
Apple did not reply to confirm any of the researchers’ claims. However, software engineer Kosta Eleftheriou confirmed that the app designed to exploit the Gamed zero-day vulnerability and collect sensitive user information works on the latest iOS version, iOS 15.0.
The exploit can be confirmed to run successfully on iOS 14.8.
It can be confirmed that the exploit also works on iOS 15.0 – it is able to silently extract *treasure* personal information without any kind of user prompt.
— Kosta Eleftheriou (@keleftheriou) September 24, 2021
“All this information is being collected by Apple for unknown purposes, which is very disturbing, especially the fact that medical information is being collected,” said the anonymous bug bounty hunter, referring to analyticsd, which was silently patched in iOS 14.7 Zero-day vulnerability.
“That’s why Apple’s claim that they care deeply about privacy is very hypocritical. Even with ‘Shared Analytics’ turned off in settings, all this data is still being collected and made available to attackers.
“My actions complied with responsible disclosure guidelines (Google Project Zero discloses a vulnerability within 90 days – 120 days after reporting it to the vendor ZDI. I waited longer, up to half a year.” The anonymous bug bounty hunter added road.
Other security researchers and bug bounty hunters have had similar experiences reporting bugs to Apple’s product security teams through the Apple Security Bounty Program. As recently as this year, some of them reported that they didn’t receive the amount listed on the official bounty page or received any payment at all, others said they’d been blindsided for months, and it finally came to nothing. , and did not reply to Apple’s message.
Others have also stated that their bugs were quietly fixed and that Apple refused to give them bounties, as in the case presented in this article.