Google fixed a zero-day in Chrome that was found by an Apple employee, according to comments in the official bug report. While the bug itself is not newsworthy, the circumstances of how this bug was found and reported to Google are, to say the least, peculiar.
According to a Google employee, the bug was originally found by an Apple employee who was participating in a Capture The Flag (CTF) hacking competition in March. But that Apple employee did not report the bug, which at the time was a zero-day — meaning Google wasn’t aware of the bug and no patch had been issued yet. The bug was instead reported by someone else who also participated in the competition, didn’t actually find the bug themselves and wasn’t even on the team that found the bug.
“This issue was reported by sisu from CTF team HXP and discovered by a member of Apple Security Engineering and Architecture (SEAR) during HXP CTF 2022,” the Google employee wrote.
According To TechCrunch after viewing a Discord channel, someone claiming to be the Apple employee who originally found the zero-day explained their side of the story, particularly the reason why they didn’t report the bug immediately, in response to Sisu, the person who reported the bug to Google.
“It took me 2 weeks working on it full time to root cause, write [the] exploit [Proof of Concept] and writeup the issue such that it can be fixed,” the person, who goes by Gallileo, wrote on July 6.
“It was reported on June 5th, through my company. Yes it was late, there are multiple reasons for that. I first had to find the person responsible, the report had to be signed off by people and then the person responsible was OOO. It’s commendable that chrome decided to fix it asap, but I think there wasn’t any real urgency. Only you and my team was aware of it and the issue is likely not that great in a real world scenario (doesn’t work on Android, pretty visible since it freezes the Chrome GUI for a few seconds),” Gallileo wrote.
Gallileo and Sisu did not respond to a request for comment.