The biggest problem is not that the app could cause a data leak, but that Apple is trying to silence those who find out.
Even the largest companies may encounter errors in their applications that could pose a threat to users, such as leaking their data or shared files. Plenty of companies have been set up to map such problems, who carry out continuous research, map vulnerabilities and warn manufacturers and developers about them. This is exactly what happened with Apple’s Safari browser, but the company said several experts tried to delay the solution.
In April, Pawel Wylecial, a co-founder of a Polish cyber security company called REDTEAM.PL, discovered a vulnerability in the iOS and MacOS versions of Safari related to the implementation of the application’s Web Share API. This standard is an application programming interface for browsers through which it is possible to share text, links, files and other content. The browser’s shareable files are located on the user’s device, but can be accessed by a malicious site by persuading users to share a link via email, while the website combs the files on the machine.
Wylecial reported the problem back to Apple in April, who would have had 90 days to patch the vulnerability according to industry-accepted standards. What is really shocking about the whole case is that it is not just that the problem still exists after four months, but that the giant has even tried to persuade the researchers to publish the report only a year from now.
After the Polish expert shared the story on Twitter, plenty of people joined him and described their experiences. There were those who discovered a bug last June that Apple only plans to fix this fall, more than a year after the announcement. Others have reported that they have been promised to fix the problem they have found, but now the company claims that there is no problem.
For two of my bugs they’ve told me the same thing that it will be fixed on ” Fall of 2020 “and yesterday I ask for the update. They replied it’s not a bug 😅
– Nikhil Mittal (@ c0d3G33k) August 24, 2020
Incidentally, Apple recently announced a security program that would, in theory, reward researchers who discover vulnerabilities in the company’s applications. However, several experts have indicated that the entire program is designed to allow the company to restrict the publication of research by withholding its payment. Apple has not yet responded to these allegations.