Earlier this week, Apple released iOS 15 and other vulnerabilities to all users worldwide. Now, a security researcher claims that Apple snubbed him on a zero-day vulnerability he reported and that the company has not yet fixed three other zero-day vulnerabilities that are also present in iOS 15.
In a blog post writes Security researcher illusionofchaos talks about his "frustrating experience participating in the Apple Security Bounty Program." The program offers independent researchers rewards for finding and reporting vulnerabilities in Apple's operating systems. Now the researcher writes that he reported four zero-day vulnerabilities to Apple between March 10 and May 4. One of these vulnerabilities was patched in iOS 14.7. But the researcher claims that Apple "decided to cover it up and not list it on the security content page."
When I confronted them about it, they apologized, assured me it was a processing issue, and promised to list it on the security content page of the next update. Since then, there have been three updates, and each time the promise has been broken.
iOS 15 is said to contain three dangerous security vulnerabilities
In addition, the other three security vulnerabilities are said to still exist – even in iOS 15. According to illusionofchaos, Apple is said to knowingly ignore the iOS vulnerabilities.
Ten days ago I asked for an explanation and warned that I would publish my research if I did not receive an explanation. My request was ignored, so now I am doing what I said. My actions are in line with the responsible disclosure guidelines.
The three vulnerabilities include a bug that allows apps downloaded from the iOS App Store to read data such as a user's Apple ID and information about their contacts. Another vulnerability allows any app to check whether another app is installed on a device, while the third allows apps with location services to access WiFi information. Interestingly, this is not the first time a security researcher has complained about Apple's "Security Bounty Program." Apple itself has not yet commented on the issue. (Photo by Unsplash / William Hook)
