Apple patched an iOS lock screen bypass without crediting its discovery
Apple fixed a recently unearthed lock screen bypass with the release of iOS 15.0.1, but failed to publicly recognize the weakness or the person who discovered it.
In September, researcher Jose Rodriguez detailed an iOS vulnerability that enables attackers to bypass a secured iPhone lock screen and access notes through a combination of VoiceOver and common sharing tools.
Rodriguez published a proof of concept on his YouTube channel on Sept. 20, illustrating methods by which a user’s notes can be copied and sent to another device. The researcher did not disclose the vulnerability to Apple prior to going public, saying at the time that he was “giving away” the exploit in hopes of shedding light on problems related to the tech giant’s Bug Bounty Program.
As noted by Rodriguez in a Twitter post on Friday, Apple’s iOS 15.0.1 release contains a fix for the lock screen bypass. Accompanying release notes show that Apple did not assign a CVE designation or provide credit to the researcher for discovering the flaw. The company pulled a similar move last month when it quietly fixed a macOS Finder vulnerability.
Researchers have criticized Apple’s Bug Bounty Program for a general lack of communication and misunderstandings over payouts.
via AppleInsider News https://ift.tt/3dGGYcl
October 1, 2021 at 04:40PM