Days following a report that security researcher Denis Tokarev has gone public with three discovered multiple zero-day vulnerabilities, Apple has now stated it is currently investigating the bugs and apologized to Tokarev for ignoring his multiple reports.
After Tokarev went public and detailed his discoveries of three iOS vulnerabilities, he spoke to Motherboard. The researcher’s claims gained a lot of media attention. Since going public, Tokarev stated that Apple had finally reached out and apologized for not responding sooner. The company also addressed the vulnerabilities and stated that it is “still investigating these issues”.
“We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you,” an Apple employee wrote. “We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions.”
According to Motherboard, Apple did fix one of the vulnerabilities Tokarev discovered in iOS 14.7. That said, Tokarev never received any credit. Three vulnerabilities still remain, one being a bug that Game Center houses. The bug allegedly allows any app installed from the App Store to access the user’s Apple ID email, name, contacts, Apple ID authentication tokens, and more.
Tokarev first contacted Apple about the discovered bugs in March and continued to pursue Apple until August. On September 13, Tokarev told Apple that unless he heard back, he would be publishing details on all the zero-day vulnerabilities, hoping it would force the company to acknowledge and fix them. A full breakdown by Tokarev can be found here. Tokarev and others have been transparent in saying that the bugs are not exploitable by the everyday user. Therefore, they don’t hold a high threat to users as it requires a malicious app.
Experts have also come forward and criticized Apple’s response and handling of the situation. Nicholas Ptacek, a SecureMac researcher told Motherboard that he is “glass Apple appears to be taking this particular situation more seriously now”. However, Ptacek believes that its response to the matter appears to be “more of a reaction to bad press than anything else.”