Apple apologizes to researcher for ignoring iOS vulnerabilities and says it is still ‘investigating’

Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after he said Apple had ignored his reports and had failed to resolve issues for several months.

iPhone 13 security
Tokarev told today Motherboard that Apple made contact after he published his complaints and after they experienced significant media attention. In an email, Apple apologized for the contact delay, saying it was “still investigating” the issues.

“We saw your blog post regarding this issue and your other reports. We apologize for the delay in replying to you,” wrote an Apple employee. “We would like to tell you that we are still investigating these issues and how we can resolve them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your help. Let us know. if you have any questions.”

Apple did fix one of the vulnerabilities in iOS 14.7 but did not give Tokarev credit. Three others remain unaddressed, including a Game Center bug that allegedly allows any app installed from App store to access full Apple ID email and name, ‌Apple ID‌ authentication tokens, contact lists and some attachments.

Details of all zero-day vulnerabilities have been published publicly of Tokarev, which could cause Apple to fix them faster.

Tokarev first contacted Apple about these bugs between March 10 and May 4, so Apple has had months to issue patches, but it is worth noting that several security researchers and Tokarev themselves have confirmed that the bugs are not extremely critical, as it would require malicious use of those app to first get ‌App Store‌ approval.

Still, experts have criticized Apple’s response and its bug shower program. Cybersecurity expert Katie Moussouris told Motherboard that Apple’s handling of the process “is not normal and should not be considered normal,” while researcher Nicholas Ptacek said Apple’s response appears to be a “reaction to bad press.”

Earlier this month, Washington Post interviewed more than two dozen security researchers reveal the errors in Apple’s bug bounty program. Researchers said Apple is slow to correct errors and does not always pay what is due, causing researchers to be dissatisfied with Apple’s program.

At the time, Apple’s head of security technology and architecture, Ivan Krstić, said Apple “plans to introduce new rewards for researchers” to expand participation, and that Apple is working to offer new and even better research tools.

Follow us on Google News

Disclaimers for mcutimes.com

All the information on this website - https://mcutimes.com - is published in good faith and for general information purpose only. mcutimes.com does not make any warranties about the completeness, reliability, and accuracy of this information. Any action you take upon the information you find on this website (mcutimes.com), is strictly at your own risk. mcutimes.com will not be liable for any losses and/or damages in connection with the use of our website.

Give a Comment