Skip to main content

Apple patches zero-day flaw in iOS 15, but without crediting outspoken researcher

Last month security researcher Denis Tokarev, aka illusionofchaos, shared his experience of reporting three zero-day iOS vulnerabilities to Apple with specific criticism around how the company is slow to respond, act, and didn’t give him credit for one of the three flaws that were patched. Now it appears Apple has fixed another zero-day flaw, this one in iOS 15 that Tokarev found earlier this year, without giving him credit.

In September, Tokarev said that after waiting up to half a year since reporting some of the vulnerabilities to Apple, he decided to go public with the information.

Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI – in 120). I have waited much longer, up to half a year in one case.

At the end of September, Tokarev shared that he got a response from Apple that said they were still working on the “issues” and apologized for the delay.

In his September blog post, Tokarev detailed a gamed zero-day flaw (one of three) that would allow any app installed from the App Store to gain access to personal user data such as Apple ID email and full name, Apple ID auth token, complete file system read access to the Core Duet database, and more.

Now Tokarev says Apple has patched the gamed zero-day he discovered in the iOS 15.0.2 security update without crediting him (via BleepingComputer).

After the first zero-day flaw Tokarev discovered and reported to Apple and he wasn’t credited when it was fixed in iOS 14.7 (July 19), the company told him:

“Due to a processing issue, your credit will be included on the security advisories in an upcoming update. We apologize for the inconvenience.”

After the second was patched in iOS 15.0.2 with credit to “an anonymous researcher,” Tokarev said Apple did respond to him in six hours, but apparently didn’t have a way to fix the problem of properly citing him. Meanwhile, Apple still hasn’t responded to the analyticsd zero-day he found that was patched in iOS 14.7.

Tokarev was asked to keep the latest emails from Apple confidential and he has followed that request at this time.

https://twitter.com/illusionofcha0s/status/1448269165417148418
https://twitter.com/illusionofcha0s/status/1448269171855400961

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Michael Potuck Michael Potuck

Michael is an editor for 9to5Mac. Since joining in 2016 he has written more than 3,000 articles including breaking news, reviews, and detailed comparisons and tutorials.


Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications