Hacker News new | past | comments | ask | show | jobs | submit login

Who's the next highest bidder after Apple for a bug in `gamed` that allows you to access GameCenter and download contacts? It's a significant vulnerability, but there's e.g. no price list entry on Zerodium (you can take Zerodium more or less seriously, this is just a data point) for anything but code execution, which this vulnerability isn't.



> Who's the next highest bidder after Apple for a bug in `gamed` that allows you to access GameCenter and download contacts?

Anyone who actually pays money or golden bars within a reasonable timeframe?

> It's a significant vulnerability, but there's e.g. no price list entry on Zerodium

On this scale I think it's "Contact us and we negotiate" sort of price.


Who? Speculate as to who they might be. The six figure numbers you're familiar with are for code execution bugs. This is obviously not that. So they're not anybody that quotes prices for bugs, or anyone directly comparable to them.

Governments can already pay prices comparable to the supposed bounty valuation of this bug for code execution. They're probably not shelling out six figures in gold bars for a bug that exfiltrates contact lists from apps that have to be installed from the app store.

The non-bounty market clearing price for a lot of scary sounding vulnerabilities is $0.


>Who?

Cellebrite and all the surveillance-as-a-service shops might be interested in information disclosure bugs. You maybe will not get the $100K Apple promised, but maybe you can sell it four times for $30K or something like that if the bug is still "good enough" for certain uses.

RCEs in Windows or iOS go for a lot more than a measly $100K if you can manage to get in contact with the right people. Think 10-20 times that.


Full chain RCEs in iOS go for 1MM from the Apple bounty program, so you'd imagine they'd have to go for more than that from a tranched grey market contract.

This is a bug that allows you to read contacts from a malicious app installed from the app store. It's not drive-by contract exfiltration; it's intensively interactive. I'm surprised the Apple bounty terms are so generous-sounding about bugs like these, but I read them, and I'm not contesting the $100k the article claims this is worth.

Apple can't really outbid the grey market on RCEs, but they have clearly outbid it on this bug.


Yes, I agree with this assessment of this particular bug. As far as this bug goes, from the description, this particular one probably not very valuable to anybody. You have to get an app into the app store and then trick people to install it for not that much information you can exfiltrate. If it was a bug that allowed attackers to exfiltrate contacts and email addresses and such just by having the victim visit a website or open an email, that would be another matter, and still quite valuable even tho it wouldn't be RCE.

But who knows, it still might worth a few bucks to you because you already figure out the delivery. And your relationship to somebody with the skills to find interesting bugs and willingness to sell to you might be even worth more, so you might pay money not just for the bug but for the relationship.


Cellebrite is more in the business of data extraction.


Your comments are the only ones here which aren’t divorced from reality. It’s weird. Who are these supposed guys paying six figures for this sort of thing? It’s just not a valuable thing.


I don't know that it's not valuable! It's a good bug, from what I understand of it. The issue here is subtle.

It's not that bugs of all stripes don't have plausible value. It's that there isn't a market for most of them. Bugs are small parts of the enterprises that exploit them. To purchase a bug for significant amounts of money, it has to slot into some kind of business process that will profitably† take advantage of it.

What people are subtextually observing with these $250k vulnerabilities is that there are a bunch of well-scripted playbooks for profiting from RCE vulnerabilities on widely distributed, unevenly patched devices. There may be no meaningful cap to how much a phone RCE is worth, since the IC's alternative to RCEs is human intelligence work that will dwarf any RCE cost just in health and benefits overhead for personnel.

But there just aren't a lot of business processes that profitably exploit stolen contact lists from malicious application installs. You can come up with lots of stories about those processes, but the key thing is that for a bug to be worth a bunch of money, that process already has to exist and be working; the cost of building all the business process stuff around the bug will rival the cost of the bug itself. Bugs have finite lifespans, and "snarf contacts from malicious app" bugs are idiosyncratic, and tend not to be pin compatible with a steady stream of similar bugs that would justify keeping that exploitative process up and running.

This is for what it's worth all my own personal weird theory of the situation, and I don't sell or buy bugs. But I have repeated the theory to many people who do either or both, and nobody has told me I'm totally wrong about it.

For some possibly non-economic definition of "profitably"


I'm with you. I think these cheap, Apple-bashing blogs want to make this into a bigger deal but there are a few things that don't add up to make this the huge issue they think it is:

1. The bug lets you download contacts. Nothing else. As you've said, no one's going to pay six figures for a bug that lets you get someone's contacts from GameCenter. If this was even slightly more abstract and didn't specifically deal with just GameCenter, I could see it being valuable for companies that do phone-to-phone transfers, for example, because you could download someone's contacts from a locked device. This isn't that, though.

2. Nowhere in the article, or even the original tweet, does Apple acknowledge or state that he was the person that initially found the bug. They just confirmed that the bug exists and asked him to keep it confidential. It's entirely possible that the reason for the delay is because someone discovered a lower-level bug that rolled up to this and it's a bit less clear-cut who is owed the credit for the fix that they released. They're not just going to go around and pay everyone who claims to have found a bug. They have to verify it and make sure that it's not something they've already discovered through another report or on their own.

3. Sometimes this stuff just takes time. When you're dealing with codebases that as large as this, changing a small thing to fix a bug can unintentionally break a bunch of other things. It's not always a simple matter of "this small piece is broken and is completely independent of everything else". We have no idea if this is or isn't one of those cases because we don't really know much about it (and for good reason).


> 1. The bug lets you download contacts. Nothing else. As you've said, no one's going to pay six figures for a bug that lets you get someone's contacts from GameCenter. If this was even slightly more abstract and didn't specifically deal with just GameCenter, I could see it being valuable for companies that do phone-to-phone transfers, for example, because you could download someone's contacts from a locked device. This isn't that, though.

I, the evil overlord, would very much like to know who is ratting out my secret initiatives to those nosy journalists. Maybe some of them don't keep a good information hygiene and will download my simple but quite addictive game? At least I get to know some names and addresses.


It's not just that it's contact data; I agree, exposing contact databases is a big deal, and that this (as depicted) is a significant bug. It's that to accomplish that with this bug, you have to install a malicious app from the app store. That is a very high hurdle towards operationalizing the bug, especially since, as I said elsewhere, Apple does API-level surveillance of apps in the app store.


But isn't it the reason malicious actors buy legit apps made by small shops to insert what at best is adware/spyware into something that is useful and made a name for itself already?

Or make useless copycats, as Kosta Eleftheriou proved already is a way of choice in the iOS App Store.


I'm not saying you can't do anything with this bug, just that it's much harder to do something with it than with a drive by vulnerability. It is a little surprising to me that Apple's bounty sort of implies they'll pay so much for a bug like this.


The reason attackers buy or compromise existing apps is exactly because they want to sidestep the hurdle of tricking people into downloading their malicious app. Using an existing app gives you access to the existing users.


Ideally it would be a privacy regulator who would issue a 7 figure fine and give the reporter a cut.


If you want to lobby for the law that enables that to happen, I'm happy to sign your petition, but I wouldn't get your hopes up.


It's called the GDPR. Places other than the US exist, and the bug reporter seems to be an EU resident.


The GDPR indeed has provisions to fine companies for "avoidable" data leaks due to lacking security practices. The regulators will not pay you a bounty for reporting companies, and there is a big difference between a normal "bug" and "bad practices".

E.g. one of the first GDPR fines here in Germany was issued against a company that had their customer DB dumped[0], specifically for still storing some user passwords in plaintext.

[0] https://gdprhub.eu/index.php?title=LfDI_-_O_1018/115


Shady advertising SDK? (Also, don't people use code execution to exfiltrate contacts and messages? This is basically what this bug does, albeit with "several clicks" involved.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: