Apple silently fixes iOS zero-day, asks bug reporter to keep quiet
Apple has silently fixed a 'gamed' zero-day vulnerability with the release of iOS 15.0.2, on Monday, a security flaw that could let attackers gain access to sensitive user information. In July, Apple also silently patched an 'analyticsd' zero-day flaw with the release of 14.7 without crediting Tokarev in the security advisory, instead promising to acknowledge his report in security advisories for an upcoming update. Apple published multiple security advisories addressing iOS vulnerabilities but, each time, they failed to credit his analyticsd bug report. "Due to a processing issue, your credit will be included on the security advisories in an upcoming update. We apologize for the inconvenience," Apple told him when asked why the list of fixed iOS security bugs didn't include his zero-day. Some said bugs reported to Apple were silently fixed, with the company failing to give them credit, just as it happened in this case. In total, Tokarev found four iOS zero-days and reported them to Apple between March 10 and May 4. If attackers would successfully exploit the four vulnerabilities on unpatched iOS devices, they could gain access and harvest Apple ID emails, full names, Apple ID authentication tokens, installed apps info, WiFi info, and analytics logs.