Apple Inc. seems to be a repeat offender when it comes to clandestinely fixing security vulnerabilities. It appears the company accepts valuable input about vulnerabilities, and silently patches them. However, the iPhone maker does not reward, credit, or even acknowledge the security experts who discovered them.
Apple Inc. recently rolled out an iOS 15.02 update which addressed a few security flaws. The company had similarly released about 8 updates for iOS 14. However, the company apparently did not appreciate the people who discovered and reported the security flaws.
Apple Inc. routinely accepts but never acknowledges bug reports, claim bug hunters:
Every major tech company, be it Google, Facebook, Twitter, etc. has a Bug Bounty program. Many security, software, and networking experts, routinely discover flaws within Internet platforms and report them.
Companies often reward such “White Hat Hackers” handsomely for their discoveries. Rewards often vary as per the severity, repeatability, and complexity of the security flaw.
😡Apple quietly fixed gamed vulnerability in iOS 15.0.2 without giving me credit. Took them 7 months to fix it! Both of my other 0-days are still unpatched. (Thread)
— Denis Tokarev (@illusionofcha0s) October 12, 2021
Apple Inc. seems to take a completely different route, claims software developer Denis Tokarev. He claims Apple Inc. received his bug discovery report seven months ago.
The company addressed the vulnerability in iOS 15.0.2. However, Apple Inc. failed to acknowledge or credit Tokarev for his discovery.
Apple releases iOS 15.0.2 with some Find My fixes https://t.co/dSlWzGJtAG pic.twitter.com/UHbqlyxRzK
— The Verge (@verge) October 11, 2021
Incidentally, this is not the first time Apple Inc. allegedly snubbed Tokarev. Back in July this year, Apple Inc. silently patched an ‘Analyticsd’ 0-day flaw with the release of 14.7. The company reportedly promised to acknowledge his report in security advisories for an upcoming update.
Needless to mention, after iOS 14.7, Apple Inc. released iOS 14.7.1, iOS 14.8, iOS 15.0, and iOS 15.0.1. All of these minor updates addressed multiple iOS vulnerabilities. However, Tokarev did not find his name in any of them.
Seems that they don't have a separate protocol on handling reports which were already disclosed. And if this message contains a legit excuse, they could save a tiny bit of reputation by making it public. But it's up to them, I won't disclose full message until I get credit. 2/3 pic.twitter.com/iG6waUELtk
— Denis Tokarev (@illusionofcha0s) October 13, 2021
When Tokarev asked why the list of fixed iOS security bugs didn’t include his 0-day, Apple Inc. replied: “Due to a processing issue, your credit will be included on the security advisories in an upcoming update. We apologize for the inconvenience.”
Then Apple Inc. released iOS 15.0.2, and yet again, failed to acknowledge Tokarev. When the developer persisted, the company asked him to treat the contents of their email exchange as confidential.
There are two 0Day Security Vulnerabilities that Apple Inc. hasn’t acknowledged, tagged, or fixed yet:
Whenever a cybersecurity expert, or even a tech giant, discovers a security flaw, the vulnerability usually gets a CVE (Common Vulnerabilities Exposure) ID. The tag helps every concerned party to track the security flaw and ensure there’s a fix or patch.
Apple Inc. apparently chooses to silently address the security loopholes. The company only ocassionaly attaches a CVE ID to flaws inside iOS, iPadOS, macOS, etc. Needless to mention, this is concerning behavior.
Emergency Apple iOS 15.0.2 update fixes zero-day used in attacks – @LawrenceAbramshttps://t.co/HxbBa7v4SR
— BleepingComputer (@BleepinComputer) October 11, 2021
Incidentally, Tokarev claims he found four iOS zero-days and reported them to Apple Inc. between March 10 and May 4 this year. When the company failed to acknowledge his efforts, the developers even published a proof-of-concept exploit code.
Within a day, Apple Inc. reached out to Tokarev, and apologized for the delay in getting back to him:
“We saw your blog post regarding this issue and your other reports, [and we] apologize for the delay in responding to you. We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance.”
iOS 15.0.2 Wireless Pairing W/Passcode Locked Device Vulnerability #infosec https://t.co/LTvoJlE9qv
— Jonathan Scott (@jonathandata1) October 13, 2021
It is quite obvious that Tokarev, and many like him, want official recognition, and quite possibly, a reward that fits the severity of the flaw. However, it is not clear if Apple Inc. will suddenly turn a new leaf.