Image: Cindy Shebley/Flickr
On Thursday, a security researcher published details of three iPhone vulnerabilities that are unpatched as of today. The security researcher, whose name is Denis Tokarev, said he decided to publish the bugs' details as well as the source code that makes it extremely easy to reproduce and exploit them, because he was tired of waiting and felt like Apple ignored him.
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.
Tokarev reported the vulnerabilities to Apple between March 10 and April 29, but the last time he heard back from Apple about the three vulnerabilities was August 6, August 12, and August 25, respectively. Then the researcher said he told Apple on September 13 he would publish details of the bugs unless he heard back.It was only after he went public with details about the unpatched bugs that Apple reached out, according to Tokarev, who shared Apple's email with Motherboard. "We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you," an Apple employee wrote. "We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions."Motherboard checked that the email is legitimate by analyzing its header, which shows the message Tokarev received was sent via servers owned by Apple, according to online records."While I’m glad Apple appears to be taking this particular situation more seriously now, it comes across as more of a reaction to bad press than anything else," Nicholas Ptacek, a researcher who works for SecureMac, a cybersecurity company that focuses on Apple computers.The vulnerabilities Tokarev found, as he himself admitted and security researchers agreed, are not highly critical, as they could only be exploited by a malicious app that would need to get on the App Store and then on people's devices.
But the way Apple handled this whole process, given that its bug bounty program is more than five years old, "is not normal and should not be considered normal," according to Katie Moussouris, a cybersecurity expert who essentially invented the concept of bug bounties more than 10 years ago while she was at Microsoft."Bug bounties and vulnerability disclosure programs are like a garden. You actually have to maintain them, you have to weed the garden," she told Motherboard in a phone call. "You have to get rid of unwanted and unnecessary delays in your process, because they're like weeds, they take up time, they take up resources."
Moussouris said that this story shows that Apple is still struggling with communicating well with researchers, a "common failure" of bug bounty programs, one that can happen even with a "top-notch security team" and some of the highest rewards in the market like Apple has. "You would think that their bug bounty program is the healthiest of all the bug bounty programs since they're offering a million dollars as their top prize. But it's absolutely not the case," Mossouris said. Apple declined to comment.
Do you research vulnerabilities and exploits for iPhones? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wire/Wickr @lorenzofb, or email firstname.lastname@example.org.
Ever since Apple launched its bug bounty program in 2016 in a surprise announcement at one of the largest cybersecurity conferences in the world, the program has struggled to take off and has been mired by controversy. A year after its launch, when the program was invite-only, several security researchers who specialize in finding bugs in the iPhone operating system told Motherboard that reporting bugs to Apple just did not make sense because the vulnerabilities were even more valuable than what Apple was willing to pay, and some of them were needed to be able to continue doing research. In 2018, Motherboard reported that researchers were reporting bugs and getting rewards. But many researchers, such as Tokarev, are still unhappy with the program. In early September, The Washington Post reported that several security researchers still complain about Apple for being too slow to fix the bugs they report to the company, and for not doling out fair payments for the bugs. Now that the bug's details and source code are out, "I think Apple will have to move faster, and I'm sure they are," Mossouris said. Motherboard asked Apple whether a patch for the three vulnerabilities was coming soon, but the company declined to comment. Subscribe to our cybersecurity podcast CYBER, here.