Researcher Says Apple Ignored Three Zero-Day Security Vulnerabilities Still Present in iOS 15

In 2019, Apple opened its Security Bounty Program to the public, offering payouts up to $1 million to researchers who share critical iOS, iPadOS, macOS, tvOS, or watchOS security vulnerabilities with Apple, including the techniques used to exploit them. The program is designed to help Apple keep its software platforms as safe as possible.

iPhone 13 Security
In the time since, reports have surfaced indicating that some security researchers are unhappy with the program, and now a security researcher who uses the pseudonym "illusionofchaos" has shared their similarly "frustrating experience."

In a blog post highlighted by Kosta Eleftheriou, the unnamed security researcher said they reported four zero-day vulnerabilities to Apple between March and May of this year, but they said that three of the vulnerabilities are still present in iOS 15 and that one was fixed in iOS 14.7 without Apple giving them any credit.

I want to share my frustrating experience participating in Apple Security Bounty program. I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.

The person said that, last week, they warned Apple that they would make their research public if they didn't receive a response. However, they said Apple ignored the request, leading them to publicly disclose the vulnerabilities.

One of the zero-day vulnerabilities relates to Game Center and allegedly allows any app installed from the App Store to access some user data:

- Apple ID email and full name associated with it

- Apple ID authentication token which allows to access at least one of the endpoints on *.apple.com on behalf of the user

- Complete file system read access to the Core Duet database (contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user's interaction with these contacts (including timestamps and statistics), also some attachments (like URLs and texts)

- Complete file system read access to the Speed Dial database and the Address Book database including contact pictures and other metadata like creation and modification dates (I've just checked on iOS 15 and this one inaccessible, so that one must have been quietly fixed recently)

The other two zero-day vulnerabilities that are apparently still present in iOS 15, as well as the one patched in iOS 14.7, are also detailed in the blog post.

Apple has not yet commented on the blog post. We'll update this story if the company responds.

Related Roundup: iPadOS 15
Related Forum: iOS 15

Top Rated Comments

turbineseaplane Avatar
13 months ago

It seems obvious that Apple's software development process is broken, giving almost everything they release a feeling of being incomplete, unreliable, and unnecessarily rushed. Software will never be perfect, but this kind of problem is an unforced error on Apple's part.
What's so frustrating about this is that it's an "own goal".

Apple alone has insisted on this pointless constant march towards an "all new***" iOS version every year, when literally nobody wants that.

We all want features added over time when they are ready, sure. But more than that, people want things to get more polished, more optimized, faster, smoother, better, more well thought out.

Almost all of that is eliminated by forcing a full new version every year. The cycle of "fixing bugs" and "ironing out issues" never completes and then just restarts every Fall. It. Sucks.

iOS (and macOS) need to be "running releases" that get worked on and made better for a 3-4 year run before totally new versions.

They've made a treadmill for themselves and they can't keep up.
Score: 44 Votes (Like | Disagree)
Soba Avatar
13 months ago
It seems obvious that Apple's software development process is broken, giving almost everything they release a feeling of being incomplete, unreliable, and unnecessarily rushed. Software will never be perfect, but this kind of problem is an unforced error on Apple's part.

Apple increasingly looks like a company that is more concerned about image and that is trying to cover up shortcomings through marketing rather than using solid engineering techniques to get the product right.

Tim Cook heads the company and he deserves a lot of flak, but I suspect there are major problems at all levels. Perhaps it's time to clean house.
Score: 41 Votes (Like | Disagree)
GMShadow Avatar
13 months ago
Honestly, good for him.

Apple needs to get their stuff together. It's clear the wheels are coming off the cart under Cook the past few years.
Score: 34 Votes (Like | Disagree)
rickwalder Avatar
13 months ago
Apple’s stance has always been “without us, you are nothing” to devs

wonder if the day will come that apple realizes without devs, they are nothing. Who wants an iPhone without any apps?
Score: 28 Votes (Like | Disagree)
DesertDrummer Avatar
13 months ago
How frustrating. This would be such an easy, valuable PR win for Apple, and it would only increase their security and engagement with the security research community, but they're blowing it. Unfortunately, this is probably a side-effect of Apple's very secretive culture.
Score: 25 Votes (Like | Disagree)
BobSc Avatar
13 months ago

Oh really? Is that "clear"? Are the "wheels coming off the cart"?

Because from my perspective, I see the M1 transition blowing minds. I see Swift turning into a major powerhouse. I see Macs making a major comeback in the marketplace beyond any time in the past 20 years. I see Apple counting stacks.

So which "wheels" are these that you're referring to exactly?
The wheels that are coming off aren't the hardware items you mentioned. It's the attitude. I'm been an apple customer since about 1987. I've purchased tens of thousands of dollars of equipment. The wheels started coming off when apple switched to their insane policy of new OS's every year. That's more important to apple than making sure their hardware and software is as bug free as possible. Apple used to have a customer oriented mentality. That's gone. And in fact the wheels are't even on any more. The number of significant bugs in iOS 15 is proof enough. I used to think that apple could do no wrong. I now wonder if they can do much that is right!
Score: 24 Votes (Like | Disagree)

Related Stories

iPhone 13 Security

Apple Apologizes to Researcher for Ignoring iOS Vulnerabilities, Says It's 'Still Investigating'

Monday September 27, 2021 12:55 pm PDT by
Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after he said that Apple had ignored his reports and had failed to fix the issues for several months. Tokarev today told Motherboard that Apple got in touch after he went public with his complaints and after they saw significant media attention. In an email, Apple apologized for the contact delay...
ios 15

Apple Releases iOS 15.3 and iPadOS 15.3 With Fix for Safari Bug That Leaks Browsing Activity

Wednesday January 26, 2022 10:00 am PST by
Apple today released iOS 15.3 and iPadOS 15.3, the third major updates to the iOS and iPadOS 15 operating systems that were released in September 2021. iOS and iPadOS 15.3 come almost two weeks after the release of iOS and iPadOS 15.2.1, minor bug fix updates. The iOS 15.3 and iPadOS 15.3 updates can be downloaded for free and the software is available on all eligible devices over-the-air in ...
iOS 15

Apple Stops Signing iOS 15.3.1 Following iOS 15.4 Release, Downgrading No Longer Possible

Tuesday March 22, 2022 5:12 pm PDT by
Following the release of iOS 15.4 on March 14, Apple has stopped signing iOS 15.3.1, the previously available version of iOS that came out in February. As iOS 15.3.1 is no longer being signed, it is not possible to downgrade to that version of iOS if you've updated to iOS 15.4. Apple routinely stops signing older versions of software updates after new releases come out in order to encourage...
powerdir exploit microsoft

Microsoft Discovered New 'Powerdir' macOS Vulnerability, Fixed in 12.1 Update

Monday January 10, 2022 9:17 am PST by
Microsoft's 365 Defender Research Team this morning published details on a new "Powerdir" macOS vulnerability that let an attacker bypass the Transparency, Consent, and Control technology to gain unauthorized access to protected data. Apple already addressed the CVE-2021-30970 vulnerability in the macOS Monterey 12.1 update that was released in December, so users who have updated to the...
apple security banner

macOS 11.3 Patches Security Vulnerability That Bypassed Built-In Malware Protections

Monday April 26, 2021 11:03 am PDT by
Apple today confirmed to TechCrunch that the just-released macOS 11.3 software update patches a security vulnerability that reportedly could have allowed a hacker to remotely access a user's sensitive data by tricking a user into opening a spoofed document. "All the user would need to do is double click — and no macOS prompts or warnings are generated," said security researcher Cedric...
iOS 14 vs 15 feature

Apple Says Option to Stay on iOS 14 Was Always Meant to Be Temporary

Wednesday January 19, 2022 9:57 am PST by
Last week, MacRumors shared news that Apple had stopped releasing iOS 14 security updates and was pushing those still on iOS 14 to upgrade to iOS 15, an apparent reversal of a promise to allow users to stay on the iOS 14 operating system. Apple today told Ars Technica that the option to stay on iOS 14 and avoid the iOS 15 upgrade was always meant to be temporary. It is not a mistake that...
apple devices security bug bounty mac iphone ipad

Security Researchers Unhappy With Apple's Bug Bounty Program

Thursday September 9, 2021 10:00 am PDT by
Apple offers a bug bounty program that's designed to pay security researchers for discovering and reporting critical bugs in Apple operating systems, but researchers are not happy with how it operates or Apple's payouts in comparison to other major tech companies, reports The Washington Post. In interviews with more than two dozen security researchers, The Washington Post collected a number...
mozilla firefox banner fixed

Firefox 95 Brings Security, Performance, and Efficiency Improvements to Mac

Friday December 10, 2021 2:32 am PST by
Mozilla has released Firefox 95, featuring a new version of its security sandboxing subsystem called RLBox, and additional performance and efficiency improvements for the macOS version of the web browser. According to the release notes, RLBox is a new technology that hardens Firefox against potential security vulnerabilities in third-party libraries. The sandbox subsystem works by...

Popular Stories

iphone 14 pro max vs 13 max 2

Camera Comparison: iPhone 14 Pro Max vs. iPhone 13 Pro Max

Thursday September 29, 2022 7:44 am PDT by
The iPhone 14 Pro and Pro Max introduce some major improvements in camera technology, adding a 48-megapixel lens and low-light improvements across all lenses with the new Photonic Engine. We've spent the last week working on an in-depth comparison that pits the new iPhone 14 Pro Max against the prior-generation iPhone 13 Pro Max to see just how much better the iPhone 14 Pro Max can be. Subscrib ...
tony blevins car

Apple Procurement VP Departs Company After Vulgar TikTok Comment

Thursday September 29, 2022 12:38 pm PDT by
Tony Blevins, Apple's vice president of procurement, is set to depart the company after he made a crude comment about his profession in a recent TikTok video, reports Bloomberg. Blevins was in a video by TikTok creator Daniel Mac, who was doing a series on the jobs of people he spotted with expensive cars. After seeing Blevins in an expensive Mercedes-Benz SLR McLaren, Mac asked Blevins what ...
Dark Sky App Featured

Dark Sky Removed From iOS App Store Ahead of Upcoming Shutdown

Wednesday September 28, 2022 4:27 pm PDT by
The Dark Sky weather app that's owned by Apple is no longer available for download in the U.S. App Store, suggesting that it has been removed ahead of schedule. Apple acquired Dark Sky back in March 2020 and has since incorporated elements of the app into the Weather app available on the iPhone (and soon, the iPad). Dark Sky remained available for purchase as a standalone weather app...
adaptive transparency airpods pro

iOS 16.1 Beta Brings Adaptive Transparency to Original AirPods Pro

Thursday September 29, 2022 1:08 pm PDT by
The third beta of iOS 16.1 that was released earlier this week expands the Adaptive Transparency feature introduced with the second-generation AirPods Pro to the original AirPods Pro. As noted on Reddit, first-generation AirPods Pro owners who also have the AirPods beta software will now see an "Adaptive Transparency" toggle in the AirPods section of the Settings app. The 5A304A beta...
tim cook malala

Tim Cook: Not Too Long From Now, You'll Wonder How You Led Your Life Without AR

Thursday September 29, 2022 7:26 am PDT by
Speaking at Università Degli Studi di Napoli Federico II in Naples, Italy, Apple CEO Tim Cook said that not too long from today, people will wonder how they led a life without augmented reality, stressing the "profound" impact it will have on the not so distant future. At the university, Cook was awarded an Honorary Degree in Innovation and International Management and also sat down for a...
iPhone 15 to Switch From Lightning to USB C in 2023 feature sans arrow

Kuo: iPhone 14 Pro Max Popularity Could Lead to More Differentiation Between iPhone 15 Pro and iPhone 15 Pro Max

Wednesday September 28, 2022 10:22 am PDT by
Apple has seen high demand for the 6.7-inch iPhone 14 Pro Max, which could lead the company to further differentiate the next-generation iPhone 15 Pro and Pro Max, according to Apple analyst Ming-Chi Kuo. Apple could add exclusive features to the iPhone 15 Pro Max in an effort to encourage more people to purchase the larger and more expensive device. Kuo last week said that Apple asked...
iOS 16 Wallpaper Spectrum Feature

Five Wallpaper Apps to Check Out for iOS 16's New Lock Screen Depth Effect

Thursday September 29, 2022 9:08 am PDT by
One of the biggest new features in iOS 16 is a completely redesigned iPhone Lock Screen. The new Lock Screen is entirely customizable, letting you change the colors and fonts, add widgets and new wallpapers, and more to make your iPhone uniquely yours. Of course, even before iOS 16, you could customize your Lock Screen with a wallpaper of your choice. iOS 16 takes the Lock Screen wallpaper...
apple watch ultra deuglify 1

Apple Watch Ultra User Mods Titanium Casing to 'Deuglify' Design

Tuesday September 27, 2022 8:05 am PDT by
An Apple Watch Ultra user has modified their new device's casing to add a brushed finish and remove the orange color of the Action Button in an effort to make it more visually appealing. The Apple Watch Ultra offers the first complete redesign of the Apple Watch since the product line's announcement in 2014, and while the design has been met with praise from many users, some have criticized...
mx mechanical keyboard logitech

Logitech Launches New 'Designed for Mac' Mice and Keyboards

Wednesday September 28, 2022 12:01 am PDT by
Logitech today announced the launch of several new mice and keyboards that have been developed for use with Apple's Macs, including Logitech's first mechanical keyboard that has been optimized for the Mac. The MX Mechanical Mini for Mac Keyboard has a keyboard layout designed for Macs, with tools to customize shortcuts with Logi Options+. The keyboard uses Tactile Quiet low-profile switches...
iphone 14 iphone 14 plus in hand feature

iPhone 14 Is Secretly Hiding a Beloved Mac Feature

Friday September 30, 2022 3:24 am PDT by
The iPhone 14 and iPhone 14 Pro models bring over a longstanding Mac feature, but the setting to enable it is off by default. The feature, which is actually a new accessibility option, allows the iPhone to play a startup chime like the Mac. When enabled, the sound comes alongside a new shutdown chime. The Mac has featured a startup chime since 1987's Macintosh II, and the iconic "bong"...