UPDATED with additional information.
A researcher has posted exploits for three unpatched security vulnerabilities in Apple's iOS mobile operating system, claiming Apple has done nothing to fix the flaws despite knowing of them for several months.
The researcher, who calls himself "illusionofchaos," claimed in an English-language post yesterday (Sept. 23) on a Russian blogging platform that all three exploits work on iOS 15, the latest version of Apple's mobile operating system, which was released just this week.
- These iPhones and iPads just got an emergency security patch — update now
- The best Mac antivirus apps
- Plus: Don't use these Chinese smartphones, European government warns
To be honest, none of the flaws sound critical — you can't use them to hack any random iPhone over the internet — and we can see why Apple might have dragged its feet on at least two of them.
The researcher calls them "zero-day" flaws, which usually means that the developer (in this case Apple) has zero time to fix them before they're publicly disclosed, but in this case it appears Apple has known of them since April.
What can you do about these iOS 15 flaws?
Should you worry about these three flaws? Yes, because the most serious one could give installed apps at least temporary access to your Apple account, which could lead to account takeover.
We don't know how you could stop this as a user, as it's entirely internal, but you should routinely check on your Apple ID and App Store activity just to make sure no one else has access to your account.
We've reached out to Apple for comment on these alleged flaws and will update this story when we receive a reply.
So far, the only person we know of who has been able to confirm that any of the vulnerabilities work is Kosta Eleftheriou, an app developer who has long had a beef with Apple over App Store policies. Eleftheriou said the most serious flaw does work on iOS 15.
🚨Can confirm the exploit also works on iOS 15.0 - it's able to silently pull a *trove* of personal information without _any_ kind of user prompt.September 24, 2021
Apple ID access from any app
The most serious flaw, the one that Eleftheriou said he was able to replicate, is apparently in a process called "gamed," likely pronounced "game-dee."
The Game Center on iOS and macOS appears to use gamed to communicate with the App Store to synchronize game progress. A quick Google search finds many Mac and iPhone users complaining about gamed using up a lot of CPU and network resources.
Illusionofchaos said that the gamed flaw permits "any app installed from the App Store" to access your "Apple ID email and full name associated with it," your Apple ID authentication token, and all contacts stored on your iPhone. (We're not sure whether "Apple ID email" refers to your Apple email address or to your email messages.)
Apps in the App Store are vetted by Apple, but they're not supposed to have full access to your Apple account, which having the authentication token would in theory temporarily confer. Nor are apps supposed to access your contacts without your permission.
This exploit works even if you disable Game Center on your iPhone, Illusionofchaos said.
Less serious flaws
The other two flaws are associated with "nehelper," an iOS process that seems to have something to do with network extensions.
Illusionofchaos said one vulnerability lets any user-installed app (i.e., one not preloaded on the device by Apple) tell whether any other app is installed on the same device. To be honest, that doesn't seem so serious to us, although privacy-minded iPhone users may have different opinions.
The other nehelper flaw appears to let apps authorized to use location data also learn the Wi-Fi network name of a connected Wi-Fi network, even if the apps aren't explicitly authorized to know that. We're not going to lose much sleep over this one either.
Illusionofchaos said he found a fourth flaw that let any user-installed app gain access to analytics logs on an iPhone, which could include medical and other biometric information about the user as well as device data. Illusionofchaos said this issue was fixed with iOS 14.7 (released in July 2021), but that he wasn't given credit.
Other recent Apple security issues
Apple has had a spate of security issues lately. Just yesterday, it patched three actual zero-day flaws in iOS 12 and macOS 10.15 Catalina, two of which were patched in iOS 14 and macOS Big Sur last week.
Meanwhile, there's an existing Finder flaw in macOS 11.6 Big Sur (and presumably earlier versions) that does seem to permit remote code execution — hacking, in other words — over the internet. Apple has not responded to our query about that one. And at least two more variants of Mac malware have reared their heads in the past couple of months.
Apple bug-bounty beef
Illusionofchaos' real gripe is that Apple hasn't paid him the bug bounties he believes Apple owes him, a complaint so common among security researchers that it was recently the subject of a Washington Post story.
Illusionofchaos said he notified Apple of all three flaws, plus a fourth that Apple fixed in July with iOS 14.7 (but didn't credit him for), on April 29. He said Apple responded the following day that it had received his report and was investigating the issues.
Apple's bug-bounty program promises independent researchers that it will pay them up to $1 million if they find flaws in the company's half-dozen operating systems, but many researchers say the company is more tight-fisted about payouts than other big companies with bug-bounty programs.
Updates: Researcher's name and other perspectives
Vice Motherboard got in touch with illusionofchaos, who said his real name was Denis Tokarev and admitted that the flaws he posted online were not that dangerous, at least not immediately.
"The ones that I've released do not lead to complete device compromise but still allow malicious apps to gather a tremendous amount of sensitive and personal data," he told Motherboard's Lorenzo Franceschi-Bicchierai.
"It's possible for any app to know exactly who you are, all your social circle, your patterns of communication with them and build a deep profile of you based on your communications and the kind of apps you have installed."
Tokarev warned that getting an exploit for at least one of his flaws — he didn't specify which one — into the App Store might work. He said he uploaded an app containing it to Apple's own developer program and was able to install the app from there to his own phone. Presumably the App Store screening would be stricter.
Patrick Wardle, a well-known American Apple hacker, told The Register that "the bigger takeaway is that Apple is shipping iOS with known bugs."
Wardle pointed out that Tokarev/illusionofchaos was giving up a chance at collecting some serious cash from Apple in exchange for venting his frustration at Apple's bug-bounty program — a sentiment Wardle himself seemed to share.
"Apple's hubris gets in the way," he told The Register. "They (still) don't see security researchers or white-hat hackers as being on the same side."
While Apple's own security researchers "get it," Wardle said, Apple executives "believe their way is the right way and they don't need any external help."