Exploit devs allegedly bag $1m for 'secret' iOS 9.1 untethered jailbreak An unnamed team of hackers has apparently received a million-dollar payout for disclosing a trio of iOS 9.x and Google Chrome security bugs to private zero-day buyer Zerodium. However, only people willing to pay Zerodium a subscription will get to see how the remote browser-based untethered jailbreak works: the company won't …
No one can compete with that, even Apple. Escalation would mean the exploit company could always outbid to the point it becomes unaffordable for the vendor. Would they really chuck away that much money on a regular basis, Joe Bloggs will buy the phone anyway.
It's one thing for the government(s) to pull this shit independently, but an outsourcing model? Fucking hell.
outbid to the point it becomes unaffordable for the vendor.
Yeah cause the richest company on the planet, has no chance of outbidding the small fish whilst they make billions year on year....... really ........
And even if they started to realise it making a sizable dent in their Profits, they will fix their ways and secure it before release. They will only do something if it affects their bottom line.
(This is not a apple only dig, it goes for every vendor).
Err. I'm not saying vendors don't have money to spare, I'm saying they'll be unwilling to invest that in a bug bounty program. And the more rare bugs become, the more a private company (/agency proxy) will be willing to spend to get hold of one.
As for these companies being sued, ha. That Italian biz seemed to get by OK without anyone batting an eyelid (until we were all pointing and laughing). In the land of the free it's easier, just get some lawyers to argue for you; with a subscription based business model, that has legs.
Anyway, my main point: those companies are fucking bastards.
I am pretty sure that Apple/Google can just sue them. That's if the police don't arrest them first.
That's what I was thinking. Imaging a hack which uses this vulnerability, you'd end up with culpability and liability because you wilfully endangered users by attempting to blackmail the vendor with knowledge that could harm their users. Reckless endangerment, here we come..
If Apple and Google haven't had one of their employees subscribe to them 'just in case' they're on the level, they're stupid.
Though I wonder if this is all a publicity seeking scam, and they offered $1 million they had no intention of paying, claimed someone found exploits that met the criteria, and are now hoping a lot of crims will subscribe to their service to get access to the juicy exploit.
Those efforts by groups such as Pangu Team focus on areas of iOS that are less-valuable to attackers. The group tells El Reg it avoids targeting Apple's Safari since that could be valuable to attackers.
Ah, that's why Jailbreakme.com was not updated any more to the latest IOS versions. I wondered if Safari suddenly got so much more secure. Makes sense - why should the community supply the black hats with browser exploits for free, anyway?
Quote
And fixing them may thus need new exploits to be introduced.
Spot on A/C. We have plenty of evidence of that with the seemingly endless IE patches that path patches that patch ... etc.c
The code must be a nightmare of spaghetti. no wonder they re-wrote it (EDGE) but .... how vunerable will that browser be once people start targetting it?
the latest OSX release had an awful lot of Safari patches as evidenced by the list of CVE's fixed.
I doubt anyone will bother targeting Edge. Especially if it remains as unstable as it is right now. I tried using it yesterday. It vanished just as I was checking out online. No error messages, no warning. Just disappeared.just like that. I completed my online purchase in Firefox without a hitch.
I remember commenting on vulnerabilities that it was possible that a million dollars wasn't outrageous given the right exploit. This was in the context of the android bug. I was downvoted, nice to see I was vindicated.
Now if you had, for example, an exploit against a core protocol, or even ECC itself - imagine how much you could charge.
You assume they're on the level with their claims. That remains to be seen, it could all be a scam to get people to subscribe to their 'service'.
I don't see how an iOS exploit is worth a million bucks given how quickly Apple is able to turn around a fix and how quickly users update (and I'll bet they have a way to encourage people to update beyond a pop up telling them there's a new version available, if it were truly serious) They may even have a way of for example forcing Safari to update (to kill the browser based part of the exploit) without the user being given any choice.
Seems that an Android exploit should be a lot more valuable. True, Android users are on average less well off / spend less than iOS users, but that's more than made up by the fact there are 5-6x as many of them and the majority will never have the option to update their device so an Android exploit would have a much longer lifespan than an iOS exploit.
Let's say they're on the level and they make this available to all their subscribers. If Apple has employees that subscribe to keep an eye on what is going on in the underworld, they could probably turn around a fix in under a week if they wanted. That's a pretty short window to monetize it.
I don't see how a subscription service can justify this. The only feasible way to handle such an expoit would be to auction it off, so only one bad guy has access to it. Even then, once you start using it Apple would be able to turn around a fix very quickly if it is serious enough, but at least you aren't competing with hundreds of other bad guys to see who can use it first. Thus I'm really wondering whether this whole thing is even on the level, or this company is just trying to get a bunch of people to subscribe to their "service" (in an untraceable non-refundable form like bitcoin, no doubt)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
