"The Wi-Fi subsystem probably passes the Wi-Fi network name (SSID) unsanitized to some internal library that is performing string formatting, which in turn causes an arbitrary memory write and buffer overflow. This will lead to memory corruption and the iOS watchdog will kill the process, hence effectively disabling Wi-Fi for the user."
Surely more of a mitigating factor is that there's nothing to 'do' with it afterwards? It's easy to get people to (try to) join your WiFi network, but then what? Without some serious secondary effect I'd guess it's probably not getting desperately quick attention or a big payout.
Format strings can do arbitrarily memory reads/writes so this will probably quickly turn into an RCE bug (it likely already has but we won't hear for another 90 days unless someone very based decides to tell us.)
This was true maybe 10ish years ago ago but with ASLR, PAC, stack cookies and other mitigations it is now much harder to turn even a legitimate vulnerability (like a trivial buffer overflow) into actual RCE. Theres every likelihood that this isn't actually exploitable, on the other hand it might be, we will have to wait and see.
I get reads, but writes? How do you manage that? I'm presuming they're using the safe versions of sprintf but in case they're not, they probably have bigger problems.
With arbitrary memory writes, and an apparently reliable form of persistence across reboots, there's a pretty good chance there is something to do with it afterwards (RCE, leading to control of wherever this runs)... it sounds like that part just hasn't been figured out yet.
Seems like an annoying DoS bug for sure. This is why having an actually secure watchdog is so nice. I still don't understand why people jailbreak in 2021.
You have to trust them with your Apple ID (from the FAQº):
Why do you need my Apple ID?
Apple allows anyone with an Apple ID to install apps they’ve built themselves onto their devices for testing. AltStore uses your Apple ID to communicate with Apple's servers on your behalf and perform the necessary steps to prepare your account for installing apps onto your device.
Do you save or send my Apple ID to anyone besides Apple?
Your Apple ID is never sent to anyone but Apple. AltStore does save your Apple ID so it can refresh apps for you automatically, but it is stored securely in the device’s keychain. AltServer does not save your Apple ID, and requires you to enter your credentials each time.
(Ofcourse, Jailbreak isn't necessarily more secure - you have no idea if they inject a malware into your device during the process.)
This sounds like a significant security bug?