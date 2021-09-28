In April, in a detailed report, Denis Tokarev, a Habr user under the nickname illusionofchaos, notified the company of four vulnerabilities in iOS, the discovery of which under the Apple Security Bounty program is usually estimated at $ 100,000. After receiving the report, Apple announced that it had read it and was conducting an investigation.

In July, with the iOS 14.7 update, only one bug was fixed. The rest of the vulnerabilities were not corrected by the Cupertinians, while Tokarev did not receive the desired answer and deserved reward for just six months. This was the reason for the publication of data on vulnerabilities in the public domain.

The situation was publicized in a few days – only after that Apple decided to contact the researcher. In the letter, the company apologized for ignoring him. In addition, Apple stressed that it is still conducting an investigation:

We’ve seen your blog post regarding this issue and your other hits. We apologize for the delay in responding. We want to inform you that we are still investigating these issues and how to address them to protect customers.

One of the vulnerabilities, which the Cupertinians fixed, made it possible to gain access to medical information, data on the use of the device and the languages ​​of the pages of sites that were viewed in Safari, as well as information about accessories. Other vulnerabilities allow obtaining, for example, Apple ID email address and full name without permission.

In addition, using the discovered vulnerabilities, you can get access to e-mail, SMS and iMessage contacts, some message attachments, data about which applications are installed on the device, as well as information about the Wi-Fi connection. Tokarev emphasized that all these errors are related to the private API.