Google: An Apple employee found a Chrome zero-day bug but didn’t report it
Google: An Apple employee found a Chrome zero-day bug but didn’t report it
Google: An Apple employee found a Chrome zero-day bug but didn’t report it.
Google has fixed a zero-day vulnerability in its Chrome browser discovered by an Apple employee, according to comments in an official bug report.
While the bug itself isn’t newsworthy, how the bug was discovered and reported to Google is somewhat peculiar to say the least.
According to a Google employee, the vulnerability was first discovered by an Apple employee while participating in the Capture the Flag (CTF) hacking competition in March.
But the Apple employee didn’t report the bug, which was still a zero-day at the time — meaning Google didn’t know about it and didn’t issue a patch.
The bug was reported by another person, who also participated in the competition, but didn’t actually find the bug himself, and wasn’t even on the team that found it.
“This issue was reported by CTF team HXP’s sisu, and a member of Apple’s Security Engineering and Architecture (SEAR) discovered this issue during HXP CTF 2022,” the Googler wrote.
It’s unclear why the Apple employee didn’t report the bug back in March. Apple and Google did not respond to requests for comment, and neither the CTF team (called COPY, whose members originally discovered the vulnerability) nor the person named sisu could be reached.
It’s not uncommon for CTF teams and CTF players to find zero-day vulnerabilities in competitions, especially in challenges of this type and “high-profile” competitions, said Filippo Cremonese, a researcher who participated in the CTF competition with the Italian mhackeroni team.
What’s interesting about this bug is that it was apparently discovered in a Google product by an Apple employee who, for some reason, decided not to report it.
In the original report on March 26, the reporter said that someone from the COPY team discovered the vulnerability in a CTF organized by the XHP team. The person, who was not named in the report, said they decided to report it even if they didn’t find it themselves because they were “not 100% sure it was reported to the chromium team”.
“Since you disclosed this issue and there are no duplicates, it appears that the team that discovered this issue chose not to disclose it to us?” the Googler wrote in another comment on the bug report.
According to the bug report, the vulnerability was fixed on March 29.
Google decided to award $10,000 as a bug bounty to the reporter, but the reporter is not the person who discovered the vulnerability.
