Apple’s Bug Bounty: The Comedy of Errors and Unpaid Researchers
Imagine this: you’ve just snagged an iPhone 15 Pro, and you’re ready to share breathtaking photos of your summer vacation with your friends. You take a stunning shot of a REAL JUICY pizza, adjust the location to make it look like you’ve been eating around the picturesque streets of Naples, and then you hit “share”. But then all your (tech) friends ask you why you’re eating alone in your hometown restaurant instead!
You are now panicking and scramble to delete the photo, but the damage has been done 😄
The Vulnerability
Here’s the actual bug: when you share a photo as a raw file via third-party (and later found out this is also true for some Apple apps as well!) apps like Telegram, the original location data is not actually modified! Despite your best efforts to change the EXIF data to reflect your new destination via the photos app, the raw file still reveals your true location.
Steps to Reproduce the Issue
Want to see this bug in action? Follow these steps:
- Snap a photo with your iPhone.
- Adjust the photo location in the Photos app to a new place (e.g. Naples).
- Share the photo on Telegram as a raw file.
- Delete the photo from your gallery (or check it out from another device in the next step)
- Download the photo from Telegram that you just uploaded.
- Examine the EXIF data. Surprise! The original location is still there, showcasing your unremarkable countryside restaurant instead of the Naples Coast.
Time to get paid, right?
Now, let’s talk about the joy of reporting this vulnerability to Apple. After confirming the bug, you’d think it would be addressed promptly. However, you find yourself trapped in the bureaucratic limbo of bug bounty. A year goes by with little to no communication, except for the occasional “we’re looking into it.” When the issue finally gets closed with “We’re unable to identify a security issue in your report”, it feels less like a resolution and more like a cruel joke.
To add insult to injury, Apple’s bug bounty program that’s supposed to reward researchers for their hard work—often resembles a scavenger hunt where the prize is elusive, if it exists at all. Many researchers have shared stories of similar experiences, with vulnerabilities such as RCE in the ACE2 chip also not being paid
Apple please fix your stuff!
Dear Apple, if you want to encourage researchers to help improve your systems, how about actually paying them?
For reporters covering sensitive stories or operating in dangerous areas, this can be a major issue. Sharing images while being fooled about their GPS location being modified correctly could lead to serious consequences, like putting their safety or that of their sources at risk.
But I guess Apple doesn’t care after all. Or they’ll just fix silently ;)
Also many many thanks to my friend @katchup for the help in debugging and testing this issue, as Apple even expects you to install beta versions on your main device just to test reproducibility!