Apple failed to fix zero days and ignore person who found them.

[HopelessNerd]

Well, the title says most, apple ignored the researcher , so he was released the zero days last night out of frustrations.

 

Quote from his disclosure

Quote

. I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When

disclosure : https://habr.com/en/post/579714/

 

I cant believe they have had theese flaws since march ..

[SpookyCitrus]

Not really a surprise, Apple doesn't care about the consumer, they care about the consumer's money. The average end user isn't going to be looking for this or checking the security content page, if every single user checked it and complained they would fix it but just a handful of people they could care less. If it doesn't affect their bottom line they don't care. 

[TetraSky]

Another news source:

https://9to5mac.com/2021/09/24/security-researcher-claims-3-zero-day-flaws-ios-15/

 

Apparently, not the first time Apple didn't respond or paid up.

Quote

Stepping back to look at the big picture, Apple has said its bug bounty program is a “runaway success” while the infosec community has shared a variety of specific criticisms and concerns about the program. These include claims that Apple has not responded or not responded promptly and also that Apple has not paid for flaws discovered that meet the bounty programs guidelines.

 

It could be argued that Apple has become so bloated in the past decade, that they no longer care about "the little things", as long as it doesn't affect their public image with their followers who will keep buying their products no matter what.

 

That said, that security researcher should've just sold it to a third party instead of through Apple. They clearly don't care enough about it.

Like to these guys

https://zerodium.com/program.html

(dunno if legit or not)

[Zomeguy]

You should see Apple's training (I work in tech sales). From their training it implies Macs, iPad and iPhones don't get viruses and can't get compromised. I found it to be very arrogant and dangerous to make people think they're immune.

[Master Disaster]

Damn, I just read the full disclosure and it reads like Apple is running NSA level spying on all their users. I see no good reason why they'd ignore these issues unless they knew about them beforehand, maybe even added them on purpose with the sole intent of tracking.

 

Quote

Gamed 0-day

Any app installed from the App Store may access the following data without any prompt from the user:

• Apple ID email and full name associated with it

• Apple ID authentication token which allows to access at least one of the endpoints on *.apple.com on behalf of the user

• Complete file system read access to the Core Duet database (contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user's interaction with these contacts (including timestamps and statistics), also some attachments (like URLs and texts)

• Complete file system read access to the Speed Dial database and the Address Book database including contact pictures and other metadata like creation and modification dates (I've just checked on iOS 15 and this one inaccessible, so that one must have been quietly fixed recently)

Quote

Nehelper Enumerate Installed Apps 0-day

The vulnerably allows any user-installed app to determine whether any app is installed on the device given its bundle ID.

XPC endpoint com.apple.nehelper has a method accessible to any app that accepts a bundle ID as a parameter and returns an array containing some cache UUIDs if the app with matching bundle ID is installed on the device or an empty array otherwise. This happens in -[NEHelperCacheManager onQueueHandleMessage:] in /usr/libexec/nehelper

Quote

Analyticsd (fixed in iOS 14.7)

This vulnerability allows any user-installed app to access analytics logs (such as the ones that you can see in Settings -> Privacy -> Analytics & Improvements -> Analytics Data -> Analytics-90Day... and Analytics-Daily...). These logs contain the following information (including, but not limited to):

• medical information (heart rate, count of detected atrial fibrillation and irregular heart rythm events)

• menstrual cycle length, biological sex and age, whether user is logging sexual activity, cervical mucus quality, etc.

• device usage information (device pickups in different contexts, push notifications count and user's action, etc.)

• screen time information and session count for all applications with their respective bundle IDs

• information about device accessories with their manufacturer, model, firmware version and user-assigned names

• application crashes with bundle IDs and exception codes

• languages of web pages that user viewed in Safari

All this information is being collected by Apple for unknown purposes, which is quite disturbing, especially the fact that medical information is being collected. That's why it's very hypocritical of Apple to claim that they deeply care about privacy. All this data was being collected and available to an attacker even if "Share analytics" was turned off in settings.

Quote

Nehelper Wifi Info 0-day

XPC endpoint com.apple.nehelper accepts user-supplied parameter sdk-version, and if its value is less than or equal to 524288, com.apple.developer.networking.wifi-info entiltlement check is skipped. Ths makes it possible for any qualifying app (e.g. posessing location access authorization) to gain access to Wifi information without the required entitlement. This happens in -[NEHelperWiFiInfoManager checkIfEntitled:] in /usr/libexec/nehelper

 

Kind of interesting the only one they fixed was the one that allowed people to access their analytics.

[SpookyCitrus]

4 minutes ago, Zomeguy said:

You should see Apple's training (I work in tech sales). From their training it implies Macs, iPad and iPhones don't get viruses and can't get compromised. I found it to be very arrogant and dangerous to make people think they're immune.

I work in computer repair, we get fewer apples in for viruses than Windows computers but they still do get viruses and malware and a lot of the time they are a bit harder to remove especially if they integrate into profiles or into the launch plists and configs. Never been a fan of Apple claiming that, as people tend to get confused when I tell them they need a cleanup it's always "But Apples can't get viruses." and then I have to explain they can and do.

[Middcore]

4 minutes ago, SpookyCitrus said:

I work in computer repair, we get fewer apples in for viruses than Windows computers but they still do get viruses and malware and a lot of the time they are a bit harder to remove especially if they integrate into profiles or into the launch plists and configs. Never been a fan of Apple claiming that, as people tend to get confused when I tell them they need a cleanup it's always "But Apples can't get viruses." and then I have to explain they can and do.

 

The main reason "Macs don't (didn't) get viruses" was because they weren't popular enough for anyone to write malware targeting them. As the popularity of Macs has increased Mac users are now a worthwhile target. 

[Fasterthannothing]

How is this news to anyone? It's been known for several years ever since Apple pretended to care about not unlocking a phone and it allowed 3rd party companies to come in an do it and then sell hacking devices with the technology to every police department in the country. Apples security is a joke covered by a thin veil of marketing. That's all lead to a worse security situation than any other phone company on the market since they refuse to acknowledge they have security issues.

[Fasterthannothing]

36 minutes ago, Master Disaster said:

Damn, I just read the full disclosure and it reads like Apple is running NSA level spying on all their users. I see no good reason why they'd ignore these issues unless they knew about them beforehand, maybe even added them on purpose with the sole intent of tracking.

 

 

Kind of interesting the only one they fixed was the one that allowed people to access their analytics.

It does appear to be backdoors that a government would put in 

[RoseLuck462]

Apple hasn't been very good lately...

[poochyena]

Could be possible they just couldn't fix it, or not fix them without causing issues like lower performance?

[Taf the Ghost]

1 hour ago, TetraSky said:

Another news source:

https://9to5mac.com/2021/09/24/security-researcher-claims-3-zero-day-flaws-ios-15/

 

Apparently, not the first time Apple didn't respond or paid up.

 

It could be argued that Apple has become so bloated in the past decade, that they no longer care about "the little things", as long as it doesn't affect their public image with their followers who will keep buying their products no matter what.

 

That said, that security researcher should've just sold it to a third party instead of through Apple. They clearly don't care enough about it.

Like to these guys

https://zerodium.com/program.html

(dunno if legit or not)

Zero Days go for the most, legally, to your national 3-letter Agencies. If you want to get into the questionably legality range, there's always going to be buyers.

[Arika]

35 minutes ago, poochyena said:

Could be possible they just couldn't fix it, or not fix them without causing issues like lower performance?

LOL no.

 

Quote

When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.

Quote

Ten days ago I asked for an explanation and warned then that I would make my research public if I don't receive an explanation. My request was ignored so I'm doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI - in 120). I have waited much longer, up to half a year in one case.

 

[Fasterthannothing]

1 hour ago, poochyena said:

Could be possible they just couldn't fix it, or not fix them without causing issues like lower performance?

Thats not even close to a valid excuse. Intel fixed major security exploits at the cost of performance without a second thought.

[poochyena]

24 minutes ago, SlidewaysZ said:

Thats not even close to a valid excuse. Intel fixed major security exploits at the cost of performance without a second thought.

I didn't say it was an excuse, I mention it could be a reason. Just look at the scandal regarding their batteries.

[Middcore]

22 minutes ago, valdyrgramr said:

You have a Steve Jobs clone running the company, and that means screw the consumer.  

 

I am not a fan of Steve Jobs but I think this is unfair. He was at least a brilliant marketer, and he had actual ideas about what computers should be and how people should use them. Tim Cook doesn't have any of that. He inherited a well-oiled machine and he squirts some more grease on it at regular intervals. 

[CTR640]

Apple simply doesn't care one bit because too many iSheeps. I'm only targetting those who thinks and sees Apple as the holy jesus, the savior, messiah bs, not to those who prefers iOS

 

3 hours ago, Master Disaster said:

Damn, I just read the full disclosure and it reads like Apple is running NSA level spying on all their users. I see no good reason why they'd ignore these issues unless they knew about them beforehand, maybe even added them on purpose with the sole intent of tracking.

 

 

Kind of interesting the only one they fixed was the one that allowed people to access their analytics.

Damn man, that's next-level hypocritism and arrogancy.

[Spotty]

3 hours ago, poochyena said:

Could be possible they just couldn't fix it, or not fix them without causing issues like lower performance?

Intel fixed spectre/meltdown despite the performance hit. Security takes priority over performance.

 

4 hours ago, Master Disaster said:

menstrual cycle length, biological sex and age, whether user is logging sexual activity, cervical mucus quality, etc.

I'm a guy so perhaps it's just something I don't understand, but why would this be tracked in iOS analytics? I know some women do use apps to track their menstrual cycle but tracking cervical mucus quality?? Perhaps even more baffling to me; why would anyone else want to access this information? 

 

4 hours ago, Master Disaster said:

All this information is being collected by Apple for unknown purposes, which is quite disturbing, especially the fact that medical information is being collected. That's why it's very hypocritical of Apple to claim that they deeply care about privacy. All this data was being collected and available to an attacker even if "Share analytics" was turned off in settings.

Edit: Wait... This is information being collected by Apple? It's not just stored locally on the device? Why would Apple want to know your menstrual cycle?!

Edited September 25, 2021 by Spotty

[poochyena]

4 minutes ago, Spotty said:

Security takes priority over performance.

To me or you, but maybe not to apple.

[Zodiark1593]

1 hour ago, Spotty said:

Intel fixed spectre/meltdown despite the performance hit. Security takes priority over performance.

 

!

Within reason of course. If we’re talking about a 50% performance hit, then the argument for performance becomes much stronger. 

[Master Disaster]

4 hours ago, Spotty said:

I'm a guy so perhaps it's just something I don't understand, but why would this be tracked in iOS analytics? I know some women do use apps to track their menstrual cycle but tracking cervical mucus quality?? Perhaps even more baffling to me; why would anyone else want to access this information? 

My first thought was how are they tracking this stuff? I guess there might be some social clues when a woman is on her periods but cervical mucas quality?

4 hours ago, Spotty said:

 

Edit: Wait... This is information being collected by Apple? It's not just stored locally on the device? Why would Apple want to know your menstrual cycle?!

Targeted advertising? Honestly I have no idea either.

 

I would love a females input on this, how this can be done and why its useful to anyone.

[Spotty]

Just now, Master Disaster said:

My first thought was how are they tracking this stuff? I guess there might be some social clues when a woman is on her periods but cervical mucas quality?

Targeted advertising? Honestly I have no idea either.

 

I would love a females input on this, how this can be done and why its useful to anyone.

I looked in to it briefly and it turns out that cervical mucus can be an indicator of fertility. There's different consistency and colour depending on the different stages in the reproductive cycle. A woman attempting to have a child can exam it to determine the best time to conceive.

 

https://developer.apple.com/documentation/healthkit/hkcategoryvaluecervicalmucusquality

Here's a buzzfeed article talking about the women's health features in iOS: https://www.buzzfeednews.com/article/stephaniemlee/heres-everything-apple-will-track-about-your-period-and-sex

 

The values are input by the user in Apple's health app, choosing from options "Dry", "Sticky", "Creamy", "Watery", and "Egg whites". Likewise the period tracking is also based on user inputs logging their menstruation and selecting "Light", "Medium", and "Heavy" to describe their menstruation.

 

There are some other health/fitness apps that also allow tracking menstruation cycles, as well as dedicated apps for it, so I'm not surprised that Apple's health app also allows tracking it. I know a former partner of mine tracked her cycle with one of the other fitness apps. I had never heard of tracking cervical mucus before, though I guess it would only make sense to do if someone is actively trying to conceive which was never an interest for me and my former partners.

 

Quote

All this information is being collected by Apple for unknown purposes, which is quite disturbing, especially the fact that medical information is being collected. That's why it's very hypocritical of Apple to claim that they deeply care about privacy. All this data was being collected and available to an attacker even if "Share analytics" was turned off in settings.

If Denis Takorev's (the person who published these security vulnerabilities) claims that Apple are collecting users private health information are true it's quite concerning. While I can understand why women may want to track these things themselves there's no need for Apple to track that data. Though, realistically if Apple are doing it then all of the other health apps are likely doing it as well. I doubt Apple is tracking it for advertising though, isn't their whole shtick that they don't sell personal information to advertisers?

[wanderingfool2]

16 minutes ago, Spotty said:

I doubt Apple is tracking it for advertising though, isn't their whole shtick that they don't sell personal information to advertisers?

Well that is a bit of a tough question.  While they do claim it doesn't sell info to advertisers, I believe it's still that Apple can use that information to serve you the ads (thus the advertisers don't get "your info" but still get targeted ads)

 

18 minutes ago, Spotty said:

If Denis Takorev's (the person who published these security vulnerabilities) claims that Apple are collecting users private health information are true it's quite concerning. While I can understand why women may want to track these things themselves there's no need for Apple to track that data. Though, realistically if Apple are doing it then all of the other health apps are likely doing it as well. I

Well it's collecting analytics from the health aspect, but in theory you can turn it off (still stored locally though), and I don't know (an apple user can confirm this) but is the share analytics on or off by default?

 

If the phone can track that information, it would give Apple more insite into their health apps itself (sort of how some of the pulse apps track your pulse to detect issues...or at least it did until Apple killed that feature)

[Master Disaster]

9 minutes ago, wanderingfool2 said:

Well that is a bit of a tough question.  While they do claim it doesn't sell info to advertisers, I believe it's still that Apple can use that information to serve you the ads (thus the advertisers don't get "your info" but still get targeted ads)

 

Well it's collecting analytics from the health aspect, but in theory you can turn it off (still stored locally though), and I don't know (an apple user can confirm this) but is the share analytics on or off by default?

 

If the phone can track that information, it would give Apple more insite into their health apps itself (sort of how some of the pulse apps track your pulse to detect issues...or at least it did until Apple killed that feature)

I absolutely understand why a person might want to track something in the name of staying healthy, currently I'm tracking calories and fat intake as my doctor recently informed me my cholesterol is fairly high.

 

I can sort of understand why a phone/electronic device might help someone to track this kind of thing.

 

I see absolutely zero reason why the phones manufacturer or app developer would need access to my personal medical information in any capacity. I understand usage analytics, like how much customers are interacting and whether the app is having a positive or negative effect on overall health (at least by the metric of the system) but honestly, for Apple to be looking at (and storing) a womans cervical mucas data is just plain creepy. That's the kind of stuff that should be kept between a woman, her partner and their fertility doctor.

[Master Disaster]

54 minutes ago, Spotty said:

I looked in to it briefly and it turns out that cervical mucus can be an indicator of fertility. There's different consistency and colour depending on the different stages in the reproductive cycle. A woman attempting to have a child can exam it to determine the best time to conceive.

 

https://developer.apple.com/documentation/healthkit/hkcategoryvaluecervicalmucusquality

Here's a buzzfeed article talking about the women's health features in iOS: https://www.buzzfeednews.com/article/stephaniemlee/heres-everything-apple-will-track-about-your-period-and-sex

 

The values are input by the user in Apple's health app, choosing from options "Dry", "Sticky", "Creamy", "Watery", and "Egg whites". Likewise the period tracking is also based on user inputs logging their menstruation and selecting "Light", "Medium", and "Heavy" to describe their menstruation.

 

There are some other health/fitness apps that also allow tracking menstruation cycles, as well as dedicated apps for it, so I'm not surprised that Apple's health app also allows tracking it. I know a former partner of mine tracked her cycle with one of the other fitness apps. I had never heard of tracking cervical mucus before, though I guess it would only make sense to do if someone is actively trying to conceive which was never an interest for me and my former partners.

 

If Denis Takorev's (the person who published these security vulnerabilities) claims that Apple are collecting users private health information are true it's quite concerning. While I can understand why women may want to track these things themselves there's no need for Apple to track that data. Though, realistically if Apple are doing it then all of the other health apps are likely doing it as well. I doubt Apple is tracking it for advertising though, isn't their whole shtick that they don't sell personal information to advertisers?

Yeah, as pointed out, Apple not selling your data is not the same thing as Apple collecting and using your data themselves.

 

On the mucas thing, TIL, not sure how I feel about what I learned but I guess it might come in useful

 

Edit - Would still love to hear a female PoV on this one though. Any girls wanna chime in? Is tracking this kind of stuff purely about conception or are there other reasons why you'd want to monitor length, flow and mucas quality?

 

To quote Amy from the TBBT, there's no doubt the male reproductive system is far more low maintenance than the female one.