Google says an Apple employee found Day Zero but did not report it

Image credits: S3studio/Getty Images/Getty Images

Google identified zero days in Chrome that was found by an Apple employee, According to the comments in the official bug report. While the bug itself isn’t newsworthy, the circumstances of how this bug was found and reported to Google are, to say the least, bizarre.

According to a Google employeeThe bug was originally found by an Apple employee who was participating in the Capture The Flag (CTF) hacking contest in March. But this Apple employee did not report the bug, which was then zero – which means that Google was unaware of the bug and a patch hasn’t been released yet. Instead, the bug was reported by someone else who also participated in the competition. He didn’t actually find the bug himself, and he wasn’t even on the team that caught the bug.

“This issue was reported by sisu from the CTF HXP team and was discovered by a member of Apple Security Engineering and Architecture (SEAR) during HXP CTF 2022,” the Googler wrote.

After this story was first published, TechCrunch saw a Discord channel where someone claiming to be the Apple employee who originally found Zero-Day explained their side of the story, particularly why they didn’t report the bug right away, in response to sisu, the person who reported the bug to Google.

“It took me two weeks to work on it full time until I got to the bottom of why,” he writes [the] Exploit [Proof of Concept] And write down the problem so that it can be solved,” wrote the person who went next to Galileo on July 6.

It was reported on June 5th, by my company. Yes, it was late, and there are multiple reasons for that. First I had to find the responsible person, the report had to be signed by people and then the responsible person was OOO. It’s commendable that chrome decided to fix it ASAP, but I think there was no real urgency. Only you and my team were aware of it, and it’s likely that the problem wouldn’t be much in a real-world scenario (it doesn’t work on Android, it’s very visible because it freezes the GUI of Chrome for a few seconds), Galileo wrote.

Galileo and Sesso did not immediately respond to a request for comment.

Apple did not respond to a request for comment.

Google spokesperson Ed Fernandez told TechCrunch in an email that “our general understanding is wrong.”

“We recommend contacting Apple for more details,” Fernandez wrote.

It’s not uncommon for CTF teams and CTF players to find zero days during competitions, especially in challenges of this nature and “high profile” competitions, according to Filippo Cremonese, a researcher involved in CTF competitions with the Italian team. macaroniwhich by the way might be the best pirate team name ever.

What makes the story of this bug interesting is that it was apparently discovered by an Apple employee in a Google product, and for some reason the Apple employee decided not to report the bug.

in the original report On March 26, the person who reported the bug said that the bug was found by someone on the COPY team during CTF Organized by the team xhp. The person, whose name was not disclosed in the report, said they decided to report it even if they didn’t find it themselves because “they weren’t 100% sure it was reported to the Chromium team.”

“So I wanted to be safe,” the person wrote.

“Since you are the one disclosing this issue and there are no duplicates, it appears that the team that discovered this issue chose not to disclose it to us?” wrote a Google employee in another comment on the bug report.

The bug was fixed on March 29, according to the bug report. Google decided to give a $10,000 bug bounty to the person who reported it, which, again, wasn’t the person who found it.

Update, July 20, 2:30PM ET: This story has been updated to include Discord messages posted by the person who claims to have originally discovered the bug.