A security researcher has criticized Apple for allowing three to create a zero-day security flaw in iOS 15 that hasn't been patched since last April.
The anonymous security researcher revealed the three zero-day loopholes to the public this week, after iOS 15 was officially released. He criticized Apple for allowing the existence of the loophole after he reported his findings to Apple since last April.
According to him, this gap can reveal Apple ID, real name, WiFi information, and so on.
In his blog post, the security researcher admitted to reporting four vulnerabilities to the Apple Security Bounty program on April 29. One of the loopholes was then patched in iOS 14.7 which was released last June, although it was not written in the patch note.
He complained about the behavior of Apple, which did not acknowledge the loophole he had found, wrote it down in a patch note, and also patched three other loopholes that he had reported.
Previously he had 'threatened' Apple to publish the results of this finding on September 13 if they did not patch the loophole. He also actually published his findings in full, including a link to his GitHub repository, because this loophole still exists in iOS 15.
In one of those loopholes, any app, without the user's knowledge, could access the full Apple ID with the full name associated with the account. In addition, the application can also access the contact list from SMS, Mail, iMessage, and third-party messaging applications.
Then they can also get metadata containing how the user interacted with those contacts. According to the anonymous researcher, the gap has been partially patched.
Another loophole allows installed applications to know other applications installed on the Apple ID. Then the third loophole allows any application to access WiFi information that shouldn't be accessible.