Apple Apologizes After Security Researcher Reveals iOS Bugs
Apple Apologizes After Security Researcher Reveals iOS Bugs

By Naveen Athrappully

Apple has apologized to a security researcher who detailed his “frustrating” experiences dealing with the company, after he disclosed bugs in the iOS operating system.

Apple has been criticized for the alleged mishandling of security vulnerability alerts notified through its bug bounty program. Researchers claim that this is symptomatic of the company’s bug bounty program being riddled with complications, ranging from poor communication to unresolved payment issues.

In security researcher Denis Tokarev’s post, he claims to have reported four zero-day vulnerabilities in Apple’s iOS mobile operating system. Zero-days refer to new bugs or security flaws in the system for which there are no patches currently available.

After reporting the issues to Apple, Tokarev said that Apple ignored three of them, and released a patch for the fourth one. But when the latest iOS version, 15.0, was released, the patch was not covered in the company’s security content page, and Tokarev was not given any credit.

The bugs that Tokarev investigated allowed apps to read user data like contact lists and Apple ID email, along with other personally identifying information.

Tokarev requested an explanation, and was informed by company representatives that they faced a processing issue during the listing and would get to it soon. But three new releases came with no mention about the security update, following which Tokarev decided to make details of his investigation public.

“We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you,” Apple told Tokarev after his post. “We want to let you know that we are still investigating these issues and how we can address them to protect customers.”

As for the other three zero-days, a jail-breaker developer has claimed to have fixed them, according to an update on Tokarev’s blog. The bugs that Tokarev discovered were not critical, as they needed a malicious app to gain access to the App Store before exploiting user information.

But the way Apple handled the issue is what irked Tokarev, who mentioned several other security researchers who were likewise frustrated with the Apple Bug Bounty Program.

Bug bounty hunting programs allow ethical hackers and cybersecurity specialists to get paid for discovering bugs in systems and networks. Many major corporations conduct the programs to ensure safety and security for their users. Apple released its program in 2016, but researchers have blamed the company’s “insular culture” for poor communication and a large backlog of bugs yet to be patched.

“You have to have a healthy internal bug fixing mechanism before you can attempt to have a healthy bug vulnerability disclosure program,” Luta Security CEO Katie Moussouris told The Washington Post. “What do you expect is going to happen if they report a bug that you already knew about but haven’t fixed? Or if they report something that takes you 500 days to fix it?”

Apple did not immediately respond to a request for comment.

Affiliate News Feeds

  • Hardware
  • Internet of Things
  • Networking
  • Industry News
  • Software

A new single board computer range offers developers flexibility and the option of custom hardware. The post OKdo partners with Radxa to deliver new ROCK SBCs appeared first on TechRepublic. [...]

Cybersecurity threats and attacks are on an upswing with no end in sight. It’s clear that organizations must do more to protect their data and employees. AMD and Microsoft have… [...]

The need to protect your Mac's data should prove no surprise, but there are many options beyond using iCloud and Time Machine. Here are several leading options, should you need… [...]

A new single board computer range offers developers flexibility and the option of custom hardware. The post OKdo partners with Radxa to deliver new ROCK SBCs appeared first on TechRepublic. [...]

Blockchain and edge computing can be a formidable combination in terms of power, scalability and versatility. The post How blockchain and edge computing can work together appeared first on TechRepublic. [...]

IoT use cases continue to grow as this report projects that the IoT-enabled asset tracking and monitoring market will witness exponential growth in the coming years. The post IoT-based asset… [...]

Jack Wallen shows you how to quickly get Samba shares up and running on any Linux distribution based on Red Hat Enterprise Linux. The post How to install and configure… [...]

Google Fiber hopes to expand its reach to deliver one of the fastest fiber networks to multiple U.S. communities. The post Google Fiber plots speedy multi-gig future appeared first on… [...]

Learn the basics of automation in Windows PowerShell for just $19.99 with this certification bundle. The post Automate Windows administration with PowerShell: Learn how in this training course appeared first… [...]

Cybersecurity threats and attacks are on an upswing with no end in sight. It’s clear that organizations must do more to protect their data and employees. AMD and Microsoft have… [...]

Professional risk factors into career decisions, and successful women need to encourage other women to accept the risks, says Accenture. The post Report finds women are declining CISO/CSO roles appeared… [...]

CompTIA finds tech investments will support innovation and recruitment, while Verizon Business reveals 31% of SMBs will cut tech investments. The post Two SMB reports reveal differing views on tech… [...]

Data observability tools allow you to monitor what is happening to your data. Here is a list of the top data observability tools of 2022. The post Best observability tools… [...]

Once you decide the default Auto Date table isn’t adequate, you can create one that fulfills your grouping and filtering requirements in Microsoft Power BI. The post How to create… [...]

Talend is one of the most popular tools for data quality. Get details on using Talend's tools for data profiling, cleaning, standardization, matching and deduplication. The post Data quality solutions… [...]