“We recommend reaching out to Apple for any further details,” Fernandez wrote. Google spokesperson Ed Fernandez told TechCrunch in an email that “our understanding is public in the bug.” Gallileo and Sisu did not respond to a request for comment.Īpple did not respond to a request for comment. Only you and my team was aware of it and the issue is likely not that great in a real world scenario (doesn’t work on Android, pretty visible since it freezes the Chrome GUI for a few seconds),” Gallileo wrote. It’s commendable that chrome decided to fix it asap, but I think there wasn’t any real urgency. I first had to find the person responsible, the report had to be signed off by people and then the person responsible was OOO. Yes it was late, there are multiple reasons for that. “It was reported on June 5th, through my company. “It took me 2 weeks working on it full time to root cause, write exploit and writeup the issue such that it can be fixed,” the person, who goes by Gallileo, wrote on July 6. “This issue was reported by sisu from CTF team HXP and discovered by a member of Apple Security Engineering and Architecture (SEAR) during HXP CTF 2022,” the Google employee wrote.Īfter this story first published, TechCrunch viewed a Discord channel where someone claiming to be the Apple employee who originally found the zero-day explained their side of the story, particularly the reason why they didn’t report the bug immediately, in response to Sisu, the person who reported the bug to Google.
The bug was instead reported by someone else who also participated in the competition, didn’t actually find the bug themselves and wasn’t even on the team that found the bug. But that Apple employee did not immediately report the bug, which at the time was a zero-day - meaning Google wasn’t aware of the bug and no patch had been issued yet. While the bug itself is not newsworthy, the circumstances of how this bug was found and reported to Google are, to say the least, peculiar.Īccording to a Google employee, the bug was originally found by an Apple employee who was participating in a Capture The Flag (CTF) hacking competition in March. Google fixed a zero-day in Chrome that was found by an Apple employee, according to comments in the official bug report.
0 kommentar(er)
