Apple is silent on fixing a severe vulnerability in iOS and is refusing to address three other zero-day vulnerabilities, says an ethical hacker who informed the company months ago.
Anyone who discovers vulnerabilities in iOS can report them to Apple and receive a fee (bug bounty) for it. But the company doesn’t always keep its promises, claims an ethical hacker called Illusionofchaos. Nor does it communicate about the problems that have been solved.
In a blog post, he explains how he discovered and reported a total of four zero-day vulnerabilities to Apple between March 10 and May 4. They come in iOS 14.7 but also work in iOS 15.
One zero-day vulnerability has since been fixed, but Apple mentioned it in the documentation surrounding security patches. When he confronted Apple about this, the company said it was a mistake, but it has still not been corrected months later.
The three other bugs are still in iOS 15. Out of frustration with the selective deafness at Apple, he, therefore, communicates about the problems himself. It is almost always about installed apps that can collect much more information than the user or the device.
The fixed vulnerability, Analticsd, allows installed apps to access sensitive data such as medical data, gender, and age.
In addition, there is Gamed, a vulnerability that works through the Game Center where installed apps gain access to the Core Duet database, where they can access contacts, texts and other messages, phone numbers, your Apple ID email address and full name.
Less severe but still present is Nemhelper Enumerate Installed Apps, a vulnerability that allows an installed app to check whether another app is installed. Finally, there is also Nehelper Wifi Info, a vulnerability through which apps with access to location data can get information about the device’s wifi connection.
Sharing the findings online has meanwhile proven to be bearing fruit. Illusionofchaos writes at the bottom of his blog that Apple has responded in the meantime and apologizes for the slow response. However, the company is said to be still investigating the issues and a possible solution.
Unlike Microsoft and Android, Apple is very selective when it comes to communicating about security vulnerabilities. Recently, however, it has often fallen into disrepair when it comes to solving these problems correctly. For example, last week, it was announced that a zero day vulnerability in macOS was addressed but not completely solved.