Apple apologizes for ignoring iOS 15 zero-day flaws, after researcher went public

To curtail bad press, Apple apologized to the frustrated cyber security researcher Denis Tokarev aka @illusionofchaos, after he publically disclosed three zero-day vulnerabilities he found in iOS 15.

Tokarev is part of the Apple Security Bounty program and discovered four zero-day flaws between March 10 and May 4 in the latest iOS 15.0 update. Apple fixed one out of four security vulnerabilities in iOS 14.7 update but the researcher accuses that the company wanted to cover the remaining three flaws by not listing them on the security content page. 

Zero-day exploits in iOS have received a lot of attention, recently, after Amnesty International published a new database of the victims attacked by Pegasus spyware. Developed by Israeli-based company NSO, Pegasus uses these zero-day vulnerabilities which do not require any action from the victims to take control of the latest iPhones, simply by sending a text message. Subsequent reports have questioned Apple’s iPhone security and the company’s will to prevent such attacks.

Apple apologies for ignoring three zero-day flaws in iOS 15 and quietly fixes them

In his disclosure blog post, Tokarev mentions that Apple has apologized to him for the delay and said it is investigating the matter “exactly 24 hours after this publication I finally received a reply from Apple.”

We apologize for the delay in responding to you,” an Apple employee wrote. “We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions.”

However, it is not the first time the tech giant has apologized to the researcher.

When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.

Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI – in 120). I have waited much longer, up to half a year in one case.

Having said that,  a jailbreak developer told Tokarev that Apple has released a fix for all three 0-days, which was done in one day after I have disclosed them. But he has not confirmed the claim.

Read More:

• 5 tips to fix Wi-Fi issues on iOS 15
• 4 tips to fix Bluetooth issues on iOS 15
• How to stop photos from Messages appearing in Shared with You in iOS 15
• Here are easy fixes to common iOS 15 issues and problems
• On iOS 15, AirPod Pro owners can not use Siri to control Active Noise Cancellation and Transparency features