Apple has failed to patch three zero-days in its iOS and macOS operating systems. The exploit code was released by a hacker group that calls itself the “Turkish Crime Family.”
The apple zero-day exploit was released on the same day that Apple failed to patch three vulnerabilities.
After Apple neglected to fix the flaws and acknowledge the researcher, a security researcher published the proof-of-concept attack code for three zero-day vulnerabilities in iOS and a fourth previously patched one on Github.
Between March 10 and May 4, the researcher submitted all four vulnerabilities to Apple. While Apple discreetly fixed one of these vulnerabilities in iOS 14.7 in July, the researcher’s identity was neatly left in the security warning. The remaining three problems have yet to be fixed.
“When I challenged them, they apologized, told me that it was due to a processing error, and promised to include it in the following update’s security content page. Since then, they’ve released three times, and each time they’ve broken their promise,” claims the developer in a Habr post.
Twitter is addressing an auto-refresh issue that caused tweets to vanish from the timeline.
The developer contacted Apple ten days ago, requesting an explanation and threatening to make the study public if Apple did not reply. Because the business reportedly disregarded the warning, the proof-of-concept code for all four vulnerabilities was made public.
iOS 15 devices are also vulnerable.
The four exploits are shown here, along with links to their Github pages.
- Any program from the App Store may exploit this vulnerability to get access to information such as the Apple ID, full name, and full file system read access to the Core Duet, Speed Dial, and Address Book databases, including contact photos and other metadata. The final two databases are unavailable on iOS 15, indicating that Apple has resolved a previously reported problem.
- 0-day: Nehelper enumerate installed applications Any user-installed program may exploit the bug to see whether another app is installed on the device by providing its bundle ID.
- 0-day WiFi data from Nehelper: The flaw allows any app with location access rights to obtain WiFi data without requiring additional authorization.
- Analyticsd (fixed in iOS 14.7): This bug allows any app to access analytics logs, which contain data such as heart rate, menstrual cycle length, biological sex and age, whether the user is logging sexual activity, cervical mucus quality, screen time, device usage information, app usage session count, information about device accessories being used, and information on app crashes with bundle ID and erro.
Can confirm that the vulnerability also works on iOS 15.0 – it’s capable of quietly extracting a *trove* of personal data without _any_ user interaction.
September 24, 2021 — Kosta Eleftheriou (@keleftheriou)
Kosta Eleftheriou, a software engineer, verified that the Gamed zero-day hack works and collects user data as promised. He put the app provided with the POC code through its paces on iOS 14.8 and 15, both of which are susceptible.
iPhone applications monitor you whether you want them to or not, according to the latest news.
When he’s not writing/editing/shooting/hosting all things tech, he streams himself racing virtual automobiles. Yadullah may be reached at [email protected], or you can follow him on Instagram or Twitter.
The zero-day exploit website is a website that has released the source code for an exploit.
- apple zero-days
- apple zero-day patch
- zerodium php
- zero-day exploit market
- zerodium competitors