The popular zero-day broker Zerodium announced new limitations it the submission of certain types of iOS exploits due to surplus.
The exploit broker Zerodium announced that it’s no longer accepting certain types of iOS exploits due to surplus, this implies that prices for them will drop in the near future.
The company announced via Twitter that it would no longer accept submissions for iOS local privilege escalation, Safari remote code execution, and sandbox escape exploits, at least for the next months.
Zerodium argued that it has taken this decision due to the high number of submissions, an information that could give us an idea of how is prolific the hacking community.
We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors. Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.— Zerodium (@Zerodium) May 13, 2020Company experts believe that the prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the next months.
Zerodium CEO Chaouki Bekrar criticized the current level of iOS security that is evidently going to zero.
“Let’s hope iOS 14 will be better,” said Chaouki Bekrar.
iOS Security is fucked. Only PAC and non-persistence are holding it from going to zero…but we’re seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let’s hope iOS 14 will be better.https://t.co/39Kd3OQwy1— Chaouki Bekrar (@cBekrar) May 13, 2020The decision of the company is coherent with the announcement made in September 2019 when Zerodium updated the price list for both Android and iOS exploits, with Android ones having surpassed the iOS ones for the first time.
Announcement: We’ve updated our prices for major Mobile exploits. For the first time, we will be paying more for Android than iOS. We’ve also increased WhatsApp & iMessage (0-click) but reduced the payout for iOS (1-click) in accordance with market trends:https://t.co/0NBRnq4I4y pic.twitter.com/XqpmAKmmKF— Zerodium (@Zerodium) September 3, 2019For the first time, the price for Android exploits is higher than the iOS ones, this is what has emerged from the updated price list published by the zero-day broker Zerodium.
Currently a zero-click exploit chain for Android would be rewarded with up to $2.5 million, while an exploit chain for iOS only $2 million.
The tech giant is running a public bug bounty program through which it’s prepared to pay out up to $1 million for exploits that achieve persistence, bypass PAC and require no user interaction.
The post Zerodium will no longer acquire certain types of iOS exploits due to surplus appeared first on Security Affairs.