In brief: An anonymous researcher disclosed three zero-day vulnerabilities for iOS this week, claiming Apple’s latest iOS15 update is still vulnerable to them. The researcher criticized Apple for ignoring warnings about the vulnerabilities, saying they first disclosed them to Apple in April. The vulnerabilities could be used to expose Apple IDs, real names, Wi-Fi information, and more.
In a blog post, the researcher says they first sent a report of four vulnerabilities to the Apple Security Bounty program on April 29. Apple addressed one of the vulnerabilities in iOS 14.7 in June, but didn’t mention it in the security notes for that update. The researcher says Apple still hasn’t mentioned it in subsequent security notes, addressed the other three vulnerabilities, or given them credit for discovering the vulnerabilities.
The researcher warned Apple on September 13 that they would make their research public if it did not address the remaining vulnerabilities. This week’s blog post containing full descriptions of the security holes, as well as links to their GitHub repositories, seems to be in response to Apple’s release of iOS 15, which has not fixed them.
One vulnerability can allow any app, without a prompt from the user, to access an Apple ID along with the full name associated with it. It can also access a list of contacts from SMS, Mail, iMessage, and 3rd-party messaging apps. It can reach metadata about how users interact with those contacts which includes things like timestamps, URLs, and texts. The researcher thinks iOS 15 may have partially fixed this exploit.
🚨Can confirm the exploit also works on iOS 15.0 – it’s able to silently pull a *trove* of personal information without _any_ kind of user prompt.
— Kosta Eleftheriou (@keleftheriou) September 24, 2021
Another vulnerability lets any installed app determine whether any other app is also installed by using its bundle ID. The third vulnerability lets any app potentially access Wi-Fi info it isn’t supposed to. iOS 14.7 fixed a vulnerability that could let apps access analytics information like medical information, screen time, what languages the users viewed in Safari, and more.
A software engineer has since corroborated the claim that at least one of the exploits works in iOS 15.
This week Apple did, however, release iOS 12.5.5, a security update for devices still running iOS 12. That includes older devices like the iPhone 5 and iPhone 6 which stopped receiving major updates after iOS 12. It addresses security holes that could lead to arbitrary code execution.