Apple is still investigating three iOS 15 zero-days after researcher criticizes bug bounty program

Last week a researcher publicly disclosed multiple zero-day exploits that are still unpatched as of iOS 15.0, claiming they had been warning Apple about the vulnerabilities for months only to be ignored. Apple recently responded that it is still investigating, though this might say as much about Apple’s bug bounty program as it does the vulnerabilities themselves. The researcher went on to criticize the ability of Apple’s app review process to catch malicious apps.

Denis Tokarev published the source code for four exploits in a blog post, three of which Apple has yet to patch. Through them, malicious apps could expose things like user WiFi information, full names associated with Apple IDs, contact lists for various messaging methods, and different kinds of user metadata. Tokarev notified Apple about the exploits multiple times since April and has gotten a response just recently.

Tokarev shared the email from Apple in a subsequent blog post, and Vice’s Motherboard verified that the email came from Apple’s servers.

“We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you,” it reads. “We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions.”

The exploits themselves work through apps going through Apple’s certification process to get on the App Store. One issue with Apple’s delay in responding, however, as well as Tokarev’s claim that apple patched the fourth vulnerability in an earlier update without mentioning him, is how it reflects on Apple’s bug bounty program.

Bug bounties can be very lucrative for researchers. In July, Microsoft awarded over $13 million to researchers over the past year through its bug bounty program. Last summer, Apple granted a researcher $100,000 for discovering a zero-day bug.

Even though the exploits Tokarev published need to go through apps that make it onto the App Store, he also criticizes Apple’s review process. The post goes into deep technical details, but it does point out the case of Charlie Miller, who was able to sneak an app past Apple’s review process in 2011 that exposed a security hole. Apple kicked Miller off the app store in response, and Tokarev claims nothing has changed since then.

Tokarev’s latest blog post also posits a situation in which someone might use one of the exploits he published to out LGBTQ people. That exploit lets an app check to see if any other app is installed on a device through its bundleID. Theoretically, someone could update an existing app with code that checks to see if a user has Grindr installed on their device. The blog post is also a general criticism of how Apple runs the App Store regarding competitiveness and the company’s ability to control the spread of scam apps.