Apple has quietly fixed a zero-day vulnerability in iOS 15.0.2 that could have allowed apps to access sensitive data. Unfortunately, Apple has not officially listed the original discoverer of this vulnerability.
The zero-day vulnerability was discovered by software developer Denis Tokarev seven months before the release of iOS 15.0.2. In September wrote Tokarev wrote a blog post describing some of his interactions with Apple's Bug Bounty Program, including not being listed on another bug that was fixed. Now he was again not mentioned by name. Loud Bleeping Computer reported that Tokarev reached out to Apple after the release of iOS 15.0.2 to inquire about the lack of recognition. Apple responded and asked him to keep the contents of their email exchange confidential.
Zero-day vulnerabilities: Security researchers feel ignored by Apple
The vulnerability was an exploitable bug that would have allowed user-installed apps from the App Store to gain unauthorized access to sensitive data that is normally protected by sandboxing or transparency, consent, and control mechanisms. According to Apple, these bugs are worth up to $100,000. In total, Tokarev reported four vulnerabilities to Apple. The company fixed one of them in iOS 14.7 and the second in iOS 15.0.2. Two of the zero-day vulnerabilities are still present in the latest version of iOS 15. Apple says they are "still investigating." This is not the first time a security researcher has claimed to have been passed over by Apple's bug bounty program. In September, a report was published detailing complaints from security researchers that were ignored, not acknowledged, or not paid. (Photo by Chor Muang / Bigstockphoto)
