Cadastre-se agora para um orçamento mais personalizado!

Miffed security researcher finds way to get Apple talking, drops three iOS vulnerabilities

26 de setembro de 2021 Hi-network.com
Image: Apple

For most of 2021, a security researcher going by the name of illusionofchaos has been engaged in an unfruitful conversation with Apple to fix a number of vulnerabilities that allow apps to make API calls to pull down user information that they should not be able to.

On Friday, the researcher went public with their findings, which contained one vulnerability fixed in iOS 14.7 and three unpatched vulnerabilities.

The fixed bugs involved Analyticsd and allowed apps to access logs containing medical information, device usage information, application crashes, and information on device accessories.

The unpatched vulnerabilities included the gamed service not properly checking game-center permission and allowing access to the Core Duet database that contains all contacts from Mail, SMS, iMessages, and some attachments; Apple ID email, full name, and authentication tokens allowing access to access at least one apple.com endpoint; and read access to speed dial database and address book.  

A vulnerability in Nehelper allowed for an app to check whether any other app was installed, and another Nehelper bug allowed for unauthorised access to Wi-Fi information.

The researcher said when Apple fixed the Analyticsd issue, they were not credited, with Apple saying in July that credit was forthcoming. By September, the researcher was still waiting.

For each vulnerability, the researcher published proof-of-concept code on GitHub.

On Saturday, the researcher received a response from Apple, which said it had seen the blog post and apologised for the delay.

"We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance," Apple said.

ZDNet asked Apple for comment on Friday, but we are still awaiting a response.

Over the weekend, a blind developer complained that Apple had labelled as spam an update to make an accessible version of Hangman run on iOS 15.

"My app is made for the blind and that all the other hangman games I have seen on the app store are half playable and ... this is a bugfix update and already existing users who have paid for the app are unable to play using iOS 15," Oriol G

tag-icon Tags quentes : Tecnologia Segurança

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.