May 25, 2022

Apple patches zero-day flaw in iOS 15, but without crediting outspoken researcher

Last month security scientist Denis Tokarev, aka illusionofchaos, shared his experience of reporting three zero-day iOS vulnerabilities to Apple with particular criticism around how the business is sluggish to react, act, and didnt provide him credit for one of the three defects that were covered. Now it appears Apple has fixed another zero-day defect, this one in iOS 15 that Tokarev discovered earlier this year, without providing him credit.

In his September blog site post, Tokarev detailed a gamed zero-day flaw (one of 3) that would enable any app set up from the App Store to access to individual user data such as Apple ID e-mail and full name, Apple ID auth token, total file system checked out access to the Core Duet database, and more.

Now Tokarev says Apple has patched the gamed zero-day he discovered in the iOS 15.0.2 security upgrade without crediting him (via BleepingComputer).

In September, Tokarev said that after waiting as much as half a year since reporting a few of the vulnerabilities to Apple, he decided to go public with the info.

My actions are in accordance with responsible disclosure guidelines (Google Project Zero reveals vulnerabilities in 90 days after reporting them to supplier, ZDI– in 120). I have waited much longer, up to half a year in one case.

At the end of September, Tokarev shared that he got a response from Apple that stated they were still working on the “issues” and asked forgiveness for the hold-up.

After the first zero-day defect Tokarev found and reported to Apple and he wasnt credited when it was fixed in iOS 14.7 (July 19), the business informed him:

They have not replied to my second e-mail continuing to disregard my questions about analyticsd vulnerability which I asked exactly a month back. pic.twitter.com/sFUhMzvAAU
— Denis Tokarev (@illusionofcha0s) October 13, 2021

FTC: We use earnings earning car affiliate links. More.

Appears that they dont have a different protocol on dealing with reports which were already revealed. Its up to them, I will not divulge complete message until I get credit.
— Denis Tokarev (@illusionofcha0s) October 13, 2021

” Due to a processing concern, your credit will be included on the security advisories in an approaching update. We apologize for the inconvenience.”

Tokarev was asked to keep the most recent e-mails from Apple private and he has actually followed that request at this time.

After the second was covered in iOS 15.0.2 with credit to “an anonymous scientist,” Tokarev stated Apple did respond to him in six hours, however apparently didnt have a method to fix the issue of appropriately citing him. On the other hand, Apple still hasnt responded to the analyticsd zero-day he discovered that was patched in iOS 14.7.

Have a look at 9to5Mac on YouTube for more Apple news:

Ten days ago I asked for an explanation and alerted then that I would make my research public if I dont receive an explanation. My actions are in accordance with responsible disclosure standards (Google Project Zero divulges vulnerabilities in 90 days after reporting them to vendor, ZDI– in 120). I have waited much longer, up to half a year in one case.

Seems that they do not have a different protocol on dealing with reports which were currently divulged. Its up to them, I wont reveal complete message till I get credit.