Earlier this week, Apple released iOS 15 and other vulnerabilities to all users worldwide. Now, a security researcher claims that Apple snubbed him on a zero-day vulnerability he reported and that the company has not yet fixed three other zero-day vulnerabilities that are also present in iOS 15.
In a blog post writes Security researcher illusionofchaos reports his "frustrating experience participating in the Apple Security Bounty Program." The program offers rewards to independent researchers for finding and reporting vulnerabilities in Apple's operating systems. Now, the researcher writes that he reported four zero-day vulnerabilities to Apple between March 10 and May 4. One of these vulnerabilities was patched in iOS 14.7. However, the researcher claims that Apple "decided to cover it up and not list it on the security content page."
When I confronted them about it, they apologized, assured me it was a processing issue, and promised to list it on the security content page of the next update. Since then, there have been three updates, and each time the promise has been broken.
iOS 15 is said to contain three dangerous security vulnerabilities
In addition, the other three security vulnerabilities are said to still exist – even in iOS 15. According to illusionofchaos, Apple is said to knowingly ignore the iOS vulnerabilities.
Ten days ago I asked for an explanation and warned that I would publish my research if I did not receive an explanation. My request was ignored, so now I am doing what I said. My actions are in line with the responsible disclosure guidelines.
The three vulnerabilities include a bug that allows apps downloaded from the iOS App Store to read data such as a user's Apple ID and contact information. Another vulnerability allows any app to check whether another app is installed on a device, while the third allows applications with location services to access Wi-Fi information. Interestingly, this isn't the first time a security researcher has complained about Apple's Security Bounty Program. Apple itself hasn't commented on the issue yet. (Photo by Unsplash / William Hook)
