I'm glad the data leak has been fixed, but they did not acknowledge my efforts or even have the decency to respond to my emails, dms, or tweets.
I wrote a medium article on a lot more specific details of this incident.
iOS Firmware Leaking 10,000+ Emails, Usernames, First, Last Names on ISO.org due to lack of QA when embedding open source libraries
Author: Jonathan Scott Twitter: https://www.twitter.com/jonathandata1 Date Published: October 21st, 2021 Date Updated: December 17th, 2021
As I was preparing material for a lecture I will be giving on the ethics of mobile forensics, I came across a link while running my forensic tools.
Background: I decompressed the DMG inside of iOS 15.0.2 (018-78120-011.dmg) the build name is Sky19A404.D63OS
The link I found was https://isotc.iso.org/livelink/livelink/Open/16944257
Locations: Symbiotic Link: /usr/share/zoneinfo/iso3166.tab Direct Path: /usr/share/zoneinfo.default/iso3166.tab
I noticed that going to that URL in a browser I was able to view data that was not available to the public.
I went back to read the code comments, and I could see that these code comments had nothing to do with the data that I was looking at on iso.org. As I began to traverse the site, I noticed that I was able to access restricted areas that have gone outside of the public domain.
Now that I understood what was actually happening, I was concerned because I was able to see a list of over 10,000 ISO.org Usernames, First Names, Last Names, and Email Addresses from all around the world.
This list includes international government, and major corporations PII.
the code manages resources that intentionally contain sensitive information, but the resources are unintentionally made accessible to unauthorized actors. In this case, the information exposure is resultant - i.e., a different weakness enabled the access to the information in the first place. Source: https://cwe.mitre.org/data/definitions/200.html
After further analysis I am able to prove this link referenced in the code is a backdoor that bypasses ISO.org's Pay Wall.
The argument can be made that this is not Apple's issue, this is an issue with ISO.org, and there is truth in both, but this data leak is 100% due to Apple backdooring data and intentionally exposing endpoints that are only available after properly paying for the data.
-
The data that is referenced in the iso3166.tab is paid data that lives behind a PAY WALL from ISO.org, reference: https://www.iso.org/standard/72483.html
- I mentioned in my Twitter feed...Apple is back-dooring this data, bypassing ISO.org's paywall, and by back-dooring the data is knowingly exposing this URL endpoint
According to Apple's own compliance Statements, they hold the following ISO Certifications. 27001 and ISO 27018.
- Accuracy and quality
- Accountability
- Information Security
- Privacy Compliance
Apple's own compliance statement puts them as the responsible party that published a vulnerable URL that lead to a URI in which 10,000+ ISO.org users data were exposed.
https://support.apple.com/en-us/HT210897 Apple's ISO Certifications
Open Source code deserves just as much scrutiny as closed. Relying on code that was last updated in 2018 at best is irresponsible, dangerous, and harmful to the community. This lack of quality assurance has lead to a massive data breech, and leak. Open source usage and responsibility falls within Apple's ISO compliance standards, and if they were only to follow these standards, we would not be in this situation. The Log4J exploit has shown that open source code needs to be examined on a much higher level that is happening right now.
I recognize that others in the community are using the exact same iso3166.tab file. Highlighting this global issue only makes matters more urgent to correct. If a company like Apple is skipping their compliance standards, how is the general public supposed to maintain trust in any of their products and services?
Supply chain attacks are top of mind for many IT teams, and an important piece of the puzzle is ensuring its integrity. Compliance is a key part of this, and as a result, organizations like the Linux Foundation sought a solution. The OpenChain Project was created as an effective certification for open source license compliance in the software supply chain. What it essentially does is strengthen the whole chain and ensure each section can be trusted and meets the standard of compliance set to earn the certification. The most recent OpenChain Specification is the ISO/IEC 5230:2020 which “specifies the key requirements of a quality open source license compliance program in order to provide a benchmark that builds trust between organizations exchanging software solutions comprised of open source software.”
Reference: https://www.trendmicro.com/pt_br/research/21/g/navigating-open-source-licensing-risk.html
My intent by disclosing this is to bring awareness to data privacy concerns, human rights violations as it pertains to data privacy issues, and to have Apple and other be more conscience of their actions or inactions when publishing code with open source projects embedded.
"After examining your report we do not see any actual security implications with Apple products or services. This link is included in open source code as part of the ISO standard."
I am a mobile security engineer, and most recently have been acknowledged by LG Mobile for discovering a backdoor that affects all LG Mobile Devices In the World.
https://leonlagreyentry.blog/apples-backdoor-security-15-0-2-exposed-iso-standard-leak/ https://cooltechzone.com/news/bad-qa-of-ios-15-0-2-led-to-comprehensive-exposure-of-iso-org