Published in News

Apple ignored three zero-day vulnerabilities for months

by on27 September 2021


Finder just showed them to the world


After the fruity cargo-cult Apple ignored three zero day security flaws, for ages a security researcher has published details about them to force it to do something.

Going by the pseudonym of Illusion of Chaos, the researcher has published their findings on Russian blogging platform Habr and has released proof-of-concept code for each vulnerability on GitHub. This includes:

1. A vulnerability in the Gamed daemon that can grant access to user data such as AppleID emails, names, auth token, and grant file system access.

2. A vulnerability in the nehelper daemon that can be used from within an app to learn what other apps are installed on a device.

3. An additional vulnerability in the nehelper daemon can also be used from within an app to gain access to a device's WiFi information.

"I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page", the researcher wrote.

"When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time."

IllusionOfChaos said the collection of this data shows the hypocrisy of Apple's claims to care about privacy. "All this data was being collected and available to an attacker even if 'Share analytics' was turned off in settings", the researcher said.

Last modified on 27 September 2021
Rate this item
(3 votes)

Read more about: