About 4 months ago I submitted a bug bounty report to both Apple and Google regarding a vulnerability that allows MMS messages to be sent:
- From a target user's phone
- Remotely as long as the target phone is within proximity of the initiator's device
- With no history of the message being sent
- From a device connected to the target devices hotspot.
The real limiting factor to this being a huge vulnerability is that you have to be connected to the target device's hotspot. However, being connected to a device's hotspot certainly shouldn't let you send messages from the host's device. Especially without their knowledge or any record of it happening.
Apple and Google both shrugged it off. Google marking it as "wont fix (infeasible)" and apple saying and I quote "We have determined that [the issue] doesn't have security implications that affect our products or services."
Curious response considering I sent them a video of it happening with their latest device on the latest security patch…
I think google, apple and myself could really help each other out here, but they're not making it easy. I told both Apple and Google I'd release it a month after the issue was created. It has been 4. I'll give it another month. Hopefully they'll see that I'm serious about this and change their mind.
submitted by /u/Firewolf386
[comments]
Source link