Apple silently fixed a zero-day vulnerability with the release of iOS 15.0.2 on Monday but did not credit the bug reporter.
- Apple quietly patches a zero-day vulnerability in iOS 15.0.2 that could have allowed attackers to gain access to sensitive information.
- According to the experts, the flaw was reported by software developer Denis Tokarev, but Apple did not credit him.
Apple silently fixed a zero-day vulnerability with the release of iOS 15.0.2 on Monday but did not credit the bug reporter.
The company addressed the bug without acknowledging or crediting software developer Denis Tokarev for the discovery even though he reported the flaw seven months before iOS 15.0.2 was released.
After the iOS 15.0.2 version release, Tokarev contacted Apple requesting it to credit him for the discovery of the issue as agreed in the past email exchange. Still, the company only asked him not to disclose the conversation.
In July, Apple also silently patched a zero-day vulnerability with the release of 14.7 without crediting Tokarev in the security advisory, instead promising to acknowledge his report in security advisories for an upcoming update.
Since then, Apple published multiple security advisories (iOS 14.7.1, iOS 14.8, iOS 15.0, and iOS 15.0.1) addressing iOS vulnerabilities but, each time, they failed to credit him.
"Due to a processing issue, your credit will be included on the security advisories in an upcoming update. We apologize for the inconvenience," Apple told him when asked why the list of fixed iOS security bugs didn't include his zero-day.
The complete list of iOS zero-days reported by Tokarev includes:
- Gamed 0-day
- Nehelper Enumerate Installed Apps 0-day
- Nehelper wifi Info 0-day
- Analytics (fixed in iOS 14.7)
Suppose attackers would successfully exploit the four vulnerabilities on unpatched iOS devices (i.e., iPhones and iPads). In that case, they could gain access and harvest full names, Apple ID emails, Apple ID authentication tokens, wifi info, installed apps info, and analytics logs (including medical and device information).
This week Apple has fixed a second zero-day vulnerability in iOS 15.0.2 and iPadOS 15.0.2, tracked as CVE-2021-30883, actively exploited in the wild.
The situation faced by Tokarev is similar to the experience of other experts that tried to report vulnerabilities to Apple through its Bug Bounty Program.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?