Pierluigi Paganini September 24, 2021

Researcher release PoC exploit code for three iOS zero-day flaws after Apple delayed addressing them and did not credit him.

An unknown researcher publicly released on GitHub proof-of-concept exploit code for three iOS zero-day vulnerabilities and one flaw addressed by Apple in July.

The experts discovered the four zero-day issues between March 10 and May 4 and reported them to the IT giant.

According to the researcher, Apple addressed one of the issues in July without crediting him, while the remaining flaws are yet to be patched.

“I want to share my frustrating experience participating in Apple Security Bounty program. I’ve reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update.” wrote the expert. “There were three releases since then and they broke their promise each time.”

The expert attempted to contact Apple for clarification, but the remaining flaws were not addressed.

Below is the list of GitHub repositories that contain PoC source code for the zero-days discovered by the expert, which were also shared with Apple. The expert explained that each repository contains an app that gathers sensitive information and presents it in the UI.

• Gamed 0-day
• Nehelper Enumerate Installed Apps 0-day
• Nehelper Wifi Info 0-day
• Analyticsd (fixed in iOS 14.7)

Researchers from BleepingComputer attempted to contact Apple, but the company has yet to reply at this time.

BleepingComputer reported that the software engineer Kosta Eleftheriou has confirmed that the app designed to exploit Gamed zero-day and harvest sensitive user information works on iOS 15.0, which is the latest version of the Apple iOS operating system.

The researcher explained that the Analyticsd, which was addressed in iOS 14.7, could allow any user-installed app to access analytics logs that contain a huge trove of information, including:

• medical information (heart rate, count of detected atrial fibrillation and irregular heart rythm events)
• menstrual cycle length, biological sex and age, whether user is logging sexual activity, cervical mucus quality, etc.
• device usage information (device pickups in different contexts, push notifications count and user’s action, etc.)
• screen time information and session count for all applications with their respective bundle IDs
• information about device accessories with their manufacturer, model, firmware version and user-assigned names
• application crashes with bundle IDs and exception codes
• languages of web pages that user viewed in Safari

“All this information is being collected by Apple for unknown purposes, which is quite disturbing, especially the fact that medical information is being collected. That’s why it’s very hypocritical of Apple to claim that they deeply care about privacy. All this data was being collected and available to an attacker even if “Share analytics” was turned off in settings.” states the expert.

The researcher claims that Apple is hypocritical when says that it take care of the user privacy, he also added that has released the zero-day exploit code in accordance with responsible disclosure guidelines of companies like Google that gives a 90-days deadline to the vendor to address the reported issues.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]