The Proofs Are On GitHub
A security researcher, currently known only as Illusion of Chaos has published three iOS vulnerabilities which have apparently been exploited in the wild, possibly for over a year, and which remain unpatched on even the newest version of the iThang operating system. This mysterious researcher claims they revealed the vulnerabilities to Apple earlier this year and decided to publish them now as Apple has not moved to patch the holes.
All three involve daemons running on the operating system and allow an attacker to gain information about the apps installed on the phone, details of the WiFi on the phone and worst of all, access to AppleID emails, names, auth token, and grant file system access. There was a fourth vulnerability reported to Apple at the same time, which was actually patched in a recent update.
This also reveals possible issues with Apple’s bug bounty program, with a number of other security researchers claiming that not only have some of their submissions been completely ignored, Apple has also not paid out the money that the bounty program promised and blocked them from submitting new vulnerabilities after they complained about the reduced rewards.