Last week, security researcher Denis Tokarev publicly disclosed several zero-day iOS vulnerabilities after he claimed that Apple ignored his reports and failed to fix the issues for several months. Apple has now apologized to the researcher.
Speaking to Motherboard today, Tokarev said that Apple got in touch only after he took the bug reports to the public domain and after they drew the media’s attention. Apple responded to the researcher in an email apologizing for the contact delay, saying that it is “still investigating” the issues.
“We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you,” an Apple employee wrote. “We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions.”
The researcher claims that he contacted Apple about the bugs between March 10 and May 4, giving Apple several months to patch the issues before he decided to put them online.
Interestingly enough, Apple patched one of the vulnerabilities Tokarev disclosed via the iOS 14.7 update. However, Tokarev was not credited for the discovery of the vulnerability. When confronted, Apple apologized and reassured the researcher that he wasn’t credited due to a processing issue and the security content page of the next update would give him due credit. Three software update releases have followed since then, and Apple didn’t honor its word.
Three other zero-day issues remain unaddressed in iOS 15, including a Game Center bug that could allow any App Store-installed application to access the full Apple ID email address and name, contacts, some attachments, and Apple ID authorization tokens.
Tokarev himself and several security researchers admitted that the bugs Tokarev discovered weren’t critical. They would require a malicious app to be approved for publishing on the App Store first. Nonetheless, we believe that Apple should have handled the vulnerabilities promptly.
Now that Tokarev has publicly disclosed the four zero-day vulnerabilities, bad actors could develop exploits for them in the wild, thereby prompting Apple to act on them immediately.
Tokarev isn’t the first vocal critic of Apple’s bug bounty program. Earlier this month, a Washington Post report highlighted how over two dozen security researchers concurred that Apple is slow to fix bugs and doesn’t reward researchers as promised, fueling widespread mistrust and unhappiness.[Via Motherboard]