An unnamed Apple engineer found a recently-fixed bug in the Google Chrome browser but opted not to notify the appropriate team at Google, according to a recent report by TechCrunch that unraveled the situation.
The employee, who’s currently only being identified as a member of Apple’s Security Engineering and Architecture (SEAR) team, discovered the bug during a Capture The Flag (CTF) cybersecurity competition held in March. Instead of the Apple employee reporting the bug, a completely different participant in the competition became aware of the security loophole and reported it to Google. That participant is not expected to be part of the team that initially found the bug, the report notes.
According to a comment made on Google’s Chromium bug reports portal, the bug in question was reported by an individual going by the moniker “sisu” who also participated in the same CTF competition. The comment concurs that the bug was first discovered by the Apple SEAR engineer. In the original bug report on Chromium, sisu wrote the following comments as part of their report:
Discover new horizons, always connected with eSIM
Travel the world stress and hassle-free with the best eSIM service available. Enjoy unlimited data, 5G speeds, and global coverage for affordable prices with Holafly. And, enjoy an exclusive 5% discount.
TBH, I have not looked into the issue since I did not discover the bug. However, I’m not 100% sure it was reported to the chromium team, so I wanted to be safe.
During the competition, a member of team COPY found a 0day bug in SwiftShader which allows arbitrary read and write in the GPU process. This report is to ensure it gets handled in case team COPY has not yet reported it.
TechCrunch was able to access an undisclosed Discord server where an account claiming to belong to the Apple employee in question explained the reasoning behind their hesitance to report the bug to Google. The account – going by the name “Gallileo” – wrote the following in response to sisu:
It took me 2 weeks working on it full time to root cause, write [the] exploit [Proof of Concept] and writeup the issue such that it can be fixed.
“It was reported on June 5th, through my company. Yes it was late, there are multiple reasons for that. I first had to find the person responsible, the report had to be signed off by people and then the person responsible was OOO [Out Of Office]. It’s commendable that chrome decided to fix it asap, but I think there wasn’t any real urgency. Only you and my team was aware of it and the issue is likely not that great in a real world scenario (doesn’t work on Android, pretty visible since it freezes the Chrome GUI for a few seconds)
The bug in question has been fixed on March 29, when Google opted to award a $10,000 bounty to sisu and not Gallileo. TechCrunch reached out for comments from Google and Apple, but the latter did not (and is unlikely) to respond. On the other hand, Google spokesperson Ed Fernandez said, “Our understanding is public in the bug. We recommend reaching out to Apple for any further details.”
