Google says Apple employee found a zero-day, but did not report it

Google fixed a zero-day in Chrome that was found by an Apple employee, according to comments in the official bug report. While the bug itself is not newsworthy, the circumstances of how this bug was found and reported to Google are, to say the least, peculiar.

According to a Google employee, the bug was originally found by an Apple employee who was participating in a Capture The Flag (CTF) hacking competition in March. But that Apple employee did not immediately report the bug, which at the time was a zero-day — meaning Google wasn’t aware of the bug and no patch had been issued yet. The bug was instead reported by someone else who also participated in the competition, didn’t actually find the bug themselves and wasn’t even on the team that found the bug.

“This issue was reported by sisu from CTF team HXP and discovered by a member of Apple Security Engineering and Architecture (SEAR) during HXP CTF 2022,” the Google employee wrote.

After this story first published, TechCrunch viewed a Discord channel where someone claiming to be the Apple employee who originally found the zero-day explained their side of the story, particularly the reason why they didn’t report the bug immediately, in response to Sisu, the person who reported the bug to Google.

“It took me 2 weeks working on it full time to root cause, write [the] exploit [Proof of Concept] and writeup the issue such that it can be fixed,” the person, who goes by Gallileo, wrote on July 6.

“It was reported on June 5th, through my company. Yes it was late, there are multiple reasons for that. I first had to find the person responsible, the report had to be signed off by people and then the person responsible was OOO. It’s commendable that chrome decided to fix it asap, but I think there wasn’t any real urgency. Only you and my team was aware of it and the issue is likely not that great in a real world scenario (doesn’t work on Android, pretty visible since it freezes the Chrome GUI for a few seconds),” Gallileo wrote.

Gallileo and Sisu did not respond to a request for comment.

Apple did not respond to a request for comment.

Google spokesperson Ed Fernandez told TechCrunch in an email that “our understanding is public in the bug.”

“We recommend reaching out to Apple for any further details,” Fernandez wrote.

It’s not uncommon for CTF teams and CTF players to find zero-days during competitions, especially in challenges of this type and competitions that are “high profile,” according to Filippo Cremonese, a researcher who participates in CTF competitions with the Italian team mhackeroni, which incidentally may be the best hacker team name ever.

What makes the story of this bug interesting is that it was apparently found by an Apple employee in a Google product, and — for some reason — that Apple employee decided not to report the bug at the time.

In the original report on March 26, the person who reported it said that the bug was found by someone on the team COPY during a CTF organized by the team HXP. The person, whose name is not disclosed in the report, said they decided to report it even if they didn’t find it themselves because they were “not 100% sure it was reported to the chromium team.”

“So I wanted to be safe,” the person wrote.

“Since you are the one disclosing this issue and there are no duplicates, it seems that the team that discovered this issue has chosen not to disclose it to us?” the Google employee wrote in another comment to the bug report.

The bug was fixed on March 29, according to the bug report. Google decided to award $10,000 as a bug bounty to the person who reported it, who, again, was not the one who found it.

UPDATE, July 20, 2:30 p.m. ET: This story was updated to include Discord messages posted by the person who claims to have found the bug originally.

UPDATE, July 24, 12:09 p.m. ET: Added clarification on twelfth paragraph.

UPDATE, July 24, 12:017 p.m. ET: On Friday, Sisu, who identified as Martin Radev, and is the person who first reported the bug to Google, published a timeline explaining his side of the story. Radev said that the Apple employee reported the bug in June. They also said they are in touch with the Apple employee to figure out what to do with the $10,000 bounty they received from Google. Radev wrote that “a donation is to be made.”

Another New Report Strengthens The Rumour of iPhone 13’s Always-On Display

While we have heard plenty of rumours regarding the iPhone 13 (or 12s, depending on who you ask), some of them are more persistent than others. One such example is the always-on mode for its display.

Last weekend, the well-known Apple-oriented journalist, Mark Gurman of Bloomberg had made a passing remark regarding the feature inside the latest issue of his weekly “Power On” newsletter. Not only that, he also mentioned that the mode will work in a similar manner as per Apple Watch.

That being said, Mark didn’t provide in-depth details regarding the mode’s functionalities though. Nevertheless, what he has said regarding the always-on display in the newsletter generally mirrored the information that has been discussed by the reputable leakster Max Weinbach way back in February.

At that time, Max said that the always-on mode on iPhone may feature a toned down lockscreen with clock and battery capacity being made visible to users all the time if they choose to activate the mode. Try to imagine the always-on mode on Apple Watch Series 5 and Series 6, you’ll get the idea.

Aside from the always-on display mode, Gurman has also said that consumers should expect a faster A15 chip, a smaller notch, and video recording upgrades on the new iPhone. Not to forget, there is also the 120Hz refresh rate which is another rumour that refused to go away so far.

Despite that, do keep in mind that Apple is reportedly saving the bigger changes to next year’s iPhone series, such as a foldable screen and an in-screen Touch ID. In other words, the 2021 lineup may feature only minor upgrades as far as the rumour mill is concerned for the time being.

Opensignal April 2021 Report: Digi Overtakes Maxis In Terms of Download Speed

Opensignal today has published its first Mobile Network Experience Report of 2021 for Malaysia and as always, it contained several interesting observations regarding the general state of our telcos. Using data that was collected from 1 Dec 2020 until 28 February 2021, Digi is apparently the fastest telco in Malaysia right now when it comes to download speed.

According to the report, the telco managed to overcome Maxis who has been holding on to the Download Speed Experience title for so many years although the gap between both companies is not that big at just 1.4Mbps. On another hand, it is still a worrying sign for Maxis though as Opensignal has noted that the telco’s download speed has dropped further since the last report in September 2020.

Specifically, Maxis’ download speed has gone down from 14.5Mbps in September 2020’s report to 11.9Mbps. However, Maxis is far from the only telco that has seen a drop in download speed though.

The new report also said that Celcom download speed is now 7.7Mbps as opposed to 10.2Mbps back in September. This has also put the telco at the bottom of the chart which is quite a surprise given its status in the market.

U Mobile has also experienced some drop in speed although not by much; from 10.1Mbps in September to 9.6Mbps. On another hand, unifi Mobile joins Digi as the only other telco that has improved its download speed from 6.7Mbps in September to 9.1Mbps.

In addition to download speed, Maxis has also lost its Video Experience throne to Digi but still managed to maintain its Games Experience lead although the telco has to share the title with U Mobile under the April 2021 report. U Mobile has also retained its hold on the Upload Speed and Voice App Experience.

Meanwhile, Celcom once again emerged as the leader in terms of 4G coverage as per last’s report. The same also applies for 4G Availability but the telco has to share the title with unifi Mobile which generally is almost on par with Celcom in this segment of the report.

What we mentioned above is just the tip of the iceberg. You can check out the full report over at Opensignal’s website right here to gain even deeper insights into the performances of our telcos for the past few months.

Ant Group Denies Exploring Jack Ma’s Exit After Explosive Report

Ant Group strongly denied that the company ever considered the option of having founder Jack Ma sell his stake in the company to help end ongoing scrutiny from the Chinese government. The fintech giant was responding to an explosive Reuters report which cited anonymous sources alleging that the option was indeed being considered.

Sources told Reuters that officials from China’s central bank (People’s Bank of China) and financial regulator China Banking and Insurance Regulatory Commission met separately with Ma and Ant between January and March, where the possibility of the billionaire’s exit was raised.

One Reuters source said the company hoped Ma’s stake could be sold to existing investors in Ant or sister company Alibaba. But another source claimed that the billionaire was told, during his talks with regulators, that he wouldn’t be allowed to sell his shares to any entity or persons close to him – though the door was open for him to transfer his stake to a Chinese investor affiliated with the state.

Reuters said it couldn’t tell if Ant and Ma would ultimately proceed with a stock divestment option – or which one. Not long after the article was published, Ant tweeted that the story was “untrue” and “baseless”, adding that, “Divestment of Mr. Ma’s stake in Ant Group has never been the subject of discussion with anyone.”

Ma’s companies have been in government crosshairs ever since he criticised China’s regulatory system last October. Chinese authorities scuttled Ant’s high-profile IPO in November and initiated an anti-monopoly probe against Alibaba in December, which recently culminated in a CNY 18.23 billion (~RM11.5 billion) fine.

Report: AAA Game Devs Outsource Crunch To Support Studios

The subject of crunch (extended periods of overtime) is a hot topic in the world of video games. Most recently, the crunch debate, if you could call it that, emerged again with Cyberpunk 2077. We’ve heard some developers saying that they will work towards reducing crunch too in recent months. But does that apply to the third party support studios that they hire?

Apparently not, according to a new report by YouTube channel People Make Games. The outlet interviewed 19 current and former employees from two outsourcing studios. One being our very own Lemon Sky Studios in Malaysia, and the other being Brandoville in Indonesia.

And the common consensus is that, unpaid overtime is very common. One former concept artist of Lemon Sky said that things can go from no overtime while working on TV animation to daily crunching for Warcraft III Reforged.

But unfortunately, this reality is unlikely to change for most outsourcing studios. One former Lemon Sky employee explains that in order for such studios to get a deal with a big-time AAA publisher, studios will need to offer to get the job done in a certain amount of time. That will then get squeezed further after negotiations, which means devs have to do more in less time. And if one studio doesn’t take the deal, another one will.

Reuters Report Suggests Bitcoin May Cause More Harm Than Good For Environment

By now, you would have already heard of Elon Musk’s US$1.5 billion (~RM6.11 billion) investment into Bitcoin and how he intends to make it possible for consumers to buy cars from his company, Tesla with the cryptocurrency. As eco-friendly as the man’s action may seem, some people believe that his actions could have the opposite reaction to the global environment.

As explained in a Reuters article, one of the biggest problems with mining for Bitcoin – or any cryptocurrency, for that matter – is the amount of carbon dioxide created by the mining farms that solve and execute the calculations provided by the blockchain, and getting paid for it.

According to data provided by the University of Cambridge and the International Energy Agency, cryptomining is expected to generate nearly 30 million metric tons of carbon dioxide per year. To put it in another way, the energy consumed by all current mining farms to-date, nearly matches the energy consumption of The Netherlands back in 2019.

That is not to say that there are no environmentally conscious miners in the world. SJ Oh, a former Bitcoin trader and environmentalist, co-founded Pow-re, a company that is reported to run “green” bitcoin mining operations with hydropower. All in sub-zero temperatures, situated within Canada’s subarctic region.

We also shouldn’t be so quick to dismiss Musk’s and Tesla’s endeavours to go green. Despite the fears of an environmental whiplash, the man recently offered US$100 million (~RM404 million) for inventions that could effectively reduce carbon dioxide emission, both from the atmosphere and oceans. Moreover, there’s also the possibility that the man could, in some form or another, develop a sustainable method of mining Bitcoin in the future.

Apple macOS Big Sur Users Report Fast User Switching Screensaver Bug

Apple macOS users have reported an annoying Big Sur bug that would occur regularly on their devices. According to the complaints, the system’s Fast User Switching screensaver feature would pop up without warning, disrupting whatever the user is doing.

While this issue has recently made headlines online, its existence have been recorded as early as late 2020 on Apple support forums and Reddit. In addition, even though its believed that the screensaver bug mainly occurs on M1-based devices, users have reported encountering the issue on Intel-based Mac machines as well. Notably, the bug is reported to affect devices running on the 11.1 version of the macOS with multiple user accounts present.

The Fast User Switching feature allows users to quickly switch between different accounts saved on their devices without having to log out. When activated, a screensaver will appear while the switching process is running in the background. The bug causes the screensaver to appear randomly even without the user activating the feature, and cannot be removed by regular means.

As pointed out by several users, the screensaver can be removed by closing and reopening the lid on their MacBook devices, a light press on the Power/Touch ID key, or using the Alt-Command-Q key shortcut to get back to the login screen. Keep in mind that these are merely short term solutions for a problem that would still happen randomly.

A more long term solution that was suggested is to disable the Fast User Switching feature altogether. However, this would also mean that users will have to stick with one general account when using a shared Mac device.

Currently, Apple has yet to fully address this issue, but a fix may be finally making its way to users soon. As pointed out by users from MacRumors forum, the bug is no longer appearing in the 11.2 beta version of Big Sur, indicating that the issue may have been resolved. No word on when the new 11.2 update is planned to be rolled out publicly at this time.