Friday, October 22, 2021

Apple quietly fixes zero-day flaw in iOS 15.0.2, but didn’t credit its finder

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Apple has quietly patched a zero-day vulnerability that could have given apps access to sensitive information in iOS 15.0.2, but reportedly did not credit the discoverer of the flaw.

The vulnerability was discovered by software developer Denis Tokarev seven months before the release of iOS 15.0.2. Back in September, Tokarev penned a blog post detailing some of his interactions with Apple’s Bug Bounty Program, including the fact that he went uncredited on another fixed flaw.

According to Bleeping Computer, Tokarev reached out to Apple after the release of iOS 15.0.2 to inquire about the lack of credit. Apple replied by asking him to keep the contents of their email exchange confidential.

The flaw was an exploitable bug that could have given user-installed apps from the App Store unauthorized access to sensitive data that would normally be protected by sandboxing or Transparency, Consent, and Control protections. Apple says those flaws are worth up to a $100,000 bounty.

In total, Tokarev reported four vulnerabilities to Apple. The company fixed one of them in iOS 14.7 and the second in iOS 15.0.2. Two of the zero-day flaws are still present in the latest version of iOS 15. Apple said they were “still investigating” back in September.

Apple, for its part, characterizes the bug bounty program as a “runaway success.” It noted that it works to correct any mistakes that it makes quickly.


Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.