A security researcher’s difficult communication with Apple

Image: Apple.

For much of that year 2021, a security researcher named illusionofchaos had a fruitless conversation with Apple to fix a number of vulnerabilities that allow applications to make API calls to obtain information. able to.

Last Friday, the researcher finally released his findings, which reveal a patched vulnerability in iOS 14.7 and three unpatched vulnerabilities.

Four vulnerabilities revealed

The vulnerabilities addressed were in Analyticsd and allowed applications to access logs containing medical information, information about device usage, application crashes, and information about device accessories.

The unpatched vulnerabilities were in the gamed service, which did not properly verify the authorization of the game center and allowed access to the Core Duet database, which contains all contacts from Mail, SMS, iMessages and some attachments; Apple ID email address, full name, and authentication tokens, which provide access to at least one endpoint; and read access to the speed dial database and address book.

A vulnerability in Nehelper allowed one application to check to see if another application had been installed and another allowed unauthorized access to Wi-Fi information.

Waiting for credit

The researcher claims that when Apple fixed the Analyticsd problem, it was not credited, and Apple announced in July that the credit was forthcoming. In September, the investigator was still waiting.

For each vulnerability, the researcher posted proof-of-concept code on GitHub.

On Saturday, the investigator received a response from Apple, which said it saw the blog post and apologized for the delay: “We want to inform you that we are still investigating these issues and how we can resolve them to protect our customers. Thanks again for taking the time to report these issues to us, we appreciate your help. “

asked Apple for a comment on Friday, but we are still waiting for a response.

A solution considered spam

Over the weekend, a blind developer complained that Apple had rated an update intended to make a version of Hangman in Accessibility work on iOS 15 as spam.

“My app is designed for the blind and all the other hangman games that I have found in the app store are half playable and … this is a vulnerability and user patch update. Those who have already paid for the application cannot play with iOS 15 ”, writes Oriol Gómez Sentís.

This Monday morning, the developer indicated that Apple had approved the update, but that the application continued to violate the guidelines of the App Store.

Source: .com

Back to top button