Google says Apple employee found a zero-day but did not report it
Google fixed a zero-day in Chrome that was found by an Apple employee, according to comments in the official bug report. While the bug itself is not newsworthy, the circumstances of how this bug was found and reported to Google are, to say the least, peculiar.
According to a Google employee, the bug was originally found by an Apple employee who was participating in a Capture The Flag (CTF) hacking competition in March. But that Apple employee did not report the bug, which at the time was a zero-day — meaning Google wasn’t aware of the bug and no patch had been issued yet. The bug was instead reported by someone else who also participated in the competition, didn’t actually find the bug themselves and wasn’t even on the team that found the bug.
“This issue was reported by sisu from CTF team HXP and discovered by a member of Apple Security Engineering and Architecture (SEAR) during HXP CTF 2022,” the Google employee wrote.
After this story first published, TechCrunch viewed a Discord channel where someone claiming to be the Apple employee who originally found the zero-day explained their side of the story, particularly the reason why they didn’t report the bug immediately, in response to Sisu, the person who reported the bug to Google.
“It took me 2 weeks working on it full time to root cause, write [the] exploit [Proof of Concept] and writeup the issue such that it can be fixed,” the person, who goes by Gallileo, wrote on July 6.
“It was reported on June 5th, through my company. Yes it was late, there are multiple reasons for that. I first had to find the person responsible, the report had to be signed off by people and then the person responsible was OOO. It’s commendable that chrome decided to fix it asap, but I think there wasn’t any real urgency. Only you and my team was aware of it and the issue is likely not that great in a real world scenario (doesn’t work on Android, pretty visible since it freezes the Chrome GUI for a few seconds),” Gallileo wrote.
Gallileo and Sisu did not respond to a request for comment.
Apple did not respond to a request for comment.
Google spokesperson Ed Fernandez told TechCrunch in an email that “our understanding is public in the bug.”
“We recommend reaching out to Apple for any further details,” Fernandez wrote.
It’s not uncommon for CTF teams and CTF players to find zero-days during competitions, especially in challenges of this type and competitions that are “high profile,” according to Filippo Cremonese, a researcher who participates in CTF competitions with the Italian team mhackeroni, which incidentally may be the best hacker team name ever.
What makes the story of this bug interesting is that it was apparently found by an Apple employee in a Google product, and — for some reason — that Apple employee decided not to report the bug.
In the original report on March 26, the person who reported it said that the bug was found by someone on the team COPY during a CTF organized by the team HXP. The person, whose name is not disclosed in the report, said they decided to report it even if they didn’t find it themselves because they were “not 100% sure it was reported to the chromium team.”
“So I wanted to be safe,” the person wrote.
“Since you are the one disclosing this issue and there are no duplicates, it seems that the team that discovered this issue has chosen not to disclose it to us?” the Google employee wrote in another comment to the bug report.
The bug was fixed on March 29, according to the bug report. Google decided to award $10,000 as a bug bounty to the person who reported it, who, again, was not the one who found it.
UPDATE, July 20, 2:30 p.m. ET: This story was updated to include Discord messages posted by the person who claims to have found the bug originally.