An Apple employee found a zero-day vulnerability during a hacking competition, but decided not to report it. Now Google accuses Apple of having withheld relevant information from them.
Again we are faced with a possible corporate confrontation between Google and Applethat this time they are having a hard time due to the discovery of a zero-day bug that was present in Chrome by an employee of Cupertino. At least that’s what can be read in the official Chromium bug report. These types of vulnerabilities are very dangerous, as it means that malicious actors could have exploited them. before the developers manage to patch them.
It’s not the first time that Google acts against vulnerabilities of this type, and it will not be the last. This type of bugs are also part of the higher rewards to be earned in the ethical hacking contests conducted by major technology companieswhich is exactly how this bug was discovered. What makes this case special is that the hacker who found it did not report it later a google
The history of the bug that was not reported
The security flaw was found during a CTF type competition (Capture the Flag) last March, apparently by an Apple worker According to a Google worker and the Chromium bug tracker:
The bug was reported by sisu from the HXP CTF team and discovered by an Apple SEAR member during HXP CTF 2022.
The Apple employee, who hides behind the nickname Galileo, has explained to outlets like TechCrunch which did not report the bug to Google:
It took me two weeks working on it full-time to find the vulnerability, write the exploit that would serve as a test and, on top of that, I would have to detail the problem to report it.
The same employee argues that “this was not a major vulnerability” that could be exploited very successfully in the real world. And yet, what Google finds suspicious is that the bug ended up being brought to the company by a person who participated in the event, but who I wasn’t on the team that discovered it and that they weren’t even close to finding out.
For now Google throws balls out and he says that Apple will have to be asked the reason for the decision not to reveal the failure to the Big G. From Cupertino they have not yet spoken and it seems unlikely that they will.