Almost six months after reporting the first vulnerability to Apple, a security researcher has gone public to reopen lines of communication with Apple.
For most of 2021, a security researcher going by the name of illusionofchaos has been engaged in an unfruitful conversation with Apple to fix a number of vulnerabilities that allow apps to make API calls to pull down user information that they should not be able to. On Friday, the researcher went public with their findings, which contained one vulnerability fixed in iOS 14.7 and three unpatched vulnerabilities. The fixed bugs involved Analyticsd and allowed apps to access logs containing medical information, device usage information, application crashes, and information on device accessories. The unpatched vulnerabilities included the gamed service not properly checking game-center permission and allowing access to the Core Duet database that contains all contacts from Mail, SMS, iMessages, and some attachments; Apple ID email, full name, and authentication tokens allowing access to access at least one apple.
