| Blog | https://altvi.st |
| GitHub | https://github.com/altvist |
| [email protected] |
ALTV!ST
- 1 Followers
- 23 Following
- 14 Posts
RE and bug hunting. Not affiliated with any franchise, brand, or organization. All opinions are mine.
They closed the report. So, the timeline is https://altvi.st/a-bug-in-apple-audiotoolbox-that-leads-to-heap-oob-read/#timeline for now.
Well, I should write a separate post and share my experience with the #apple #security #bounty program.
A random fun fact: iMelody is a mono beep-beep-beep ringtone format introduced by Sony Ericsson in early 00s. #apple CoreAudio on the newest macOS still contains iMelody parser, and the parser is vulnerable (OOB read) 🤷♂️ I even don't know if I should report it to Apple.
RE: https://infosec.exchange/@altvist/116710041220058870
It’s hard to believe, but #apple reopened the #vulnerability report again after that post (writeup + poc) in my blog. So the report is in review for the third time. What a circus 🤦♂️
I'm going to share a (non-weaponized) PoC + writeup for a couple bugs in AudioToolboxCore soon. Chained together, they lead to a heap OOB read. Not patched at the moment.
#apple: silently closes my #vulnerability report and moves it to the status "We are unable to identify a security issue in your report"
me: thank you for your review, if it's not a vulnerability, I can publishing the writeup + PoC in my blog without worrying about ethical concerns
#apple: silently reopens the report and moves to the status "We’re reviewing your report"
Recently I’ve seen a bunch of articles like “we told #Claude to find vulnerabilities and make us millionaires, and it found 100500 of them.” I got curious and tried it, but of course it doesn’t work like that. AI turned out to be effective at finding vulnerabilities only if you explain what exactly to look for and at least roughly where. Then it really does a good job.