In a shocking new blog post, an anonymous security researcher has exposed three zero-day flaws which exist in iOS 14 and iOS 15 which put millions of iPhones around the world in immediate danger. But there’s a twist, because the researcher reported them all to Apple months ago and is only now publishing the details to force Apple’s hand after claiming the company refused to act.
“I’ve reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page,” explains the researcher, who published under the pseudonym illusionofchaos. “When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.”
Explaining his actions in now publishing all the zero-day flaws, the researcher reveals:
“Ten days ago I asked for an explanation and warned them that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI – in 120). I have waited much longer, up to half a year in one case.”
The researcher also makes the point he is far from alone in being treated this way.
Commenting on the revelations, Marco Arment, creator of Instapaper and Overcast and former CTO of Tumbler, was hugely critical of Apple tweeting “Security relations are developer relations. What will it take for Apple to change their entire CULTURE of how they treat outside developers?” As an example, he focuses in on one of the new zero-day flaws, commenting:
“Click through to see the Game Center exploit in particular. It’s rough. Things like this should almost never slip through the cracks with a functioning security program. Instead, with Apple, it’s commonplace. That’s so deeply broken, yet nothing changes. What will it take?”
Consequently, for Apple fans the concerns are twofold. First, the immediate threat of this trio of zero-day hacks being released into the wild. Second, the fear that this is just the tip of the iceberg with many more researchers being ignored and many more unfixed zero-day flaws being allowed to exist in the wild for months at a time.
Apple has long marketed itself as the champion of privacy and security. The former has been brutally dismantled in recent months and now Apple needs to work hard to save its reputation with the latter.
I have reached out to Apple and will update this post when/if I get a response.
Follow Gordon on Facebook
More On Forbes