A security researcher has released the proof-of-concept exploit code for three zero-day vulnerabilities in iOS and a fourth already patched one on Github after Apple failed to patch the issues and credit the researcher.
The researcher had reported all four bugs to Apple between March 10 and May 4. While the company quietly patched one of these bugs in iOS 14.7 in July, they conveniently left the researcher’s name in the security advisory. The other three bugs remain unpatched.
“When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then, and they broke their promise each time,” says the developer in a post on Habr.
Processing issues for sure
Ten days ago, the developer reached out to Apple for an explanation and warned them that they’d make the research public if Apple didn’t respond. The company allegedly ignored the message, and hence, the POC code for all four exploits was released.
The four exploits, along with their Github links, are as follows.
- Gamed 0-day: Any app from the App Store can exploit this vulnerability to access data like the Apple ID, full name, complete file system read access to the Core Duet, Speed Dial and Address Book database includingg contact pictures and other metadata. The last two databases are inaccessible on iOS 15 suggesting Apple fixed another reported issue quitely.
- Nehelper enumerate installed apps 0-day: The bug allows any user-installed app to determine whether any app is installed on the device provided its bundle ID.
- Nehelper WiFi Info 0-day: The bug lets any app having location access permissions to access WiFi information without the permissions required.
- Analyticsd (fixed in iOS 14.7): The bug allows any app to access analytics logs which contains information like heart rate, menstrual cycle length, biological sex and age, whether user is logging sexual activity, cervical mucus quality, screen time, device usafge infomation, app usage session count, information about device accessories being used, information on app crashes with bundle ID and error codes as well as languages of webpages viewed in Safari.
Software engineer Kosta Eleftheriou confirmed that the Gamed zero-day exploit does work and harvest user data as claimed. He tested the app included with the POC code on iOS 14.8 and 15, both of which are, in fact, vulnerable.