Google fixed a zero-day in Chrome that was found by an Apple employee, according to comments in the official bug report. While the bug itself is not newsworthy, the circumstances of how this bug was found and reported to Google are, to say the least, peculiar.
According to a Google employee, the bug was originally found by an Apple employee who was participating in a Capture The Flag (CTF) hacking competition in March. But that Apple employee did not report the bug, which at the time was a zero-day — meaning Google wasn’t aware of the bug and no patch had been issued yet. The bug was instead reported by someone else who also participated in the competition, didn’t actually find the bug themselves, and wasn’t even on the team that found the bug.
“This issue was reported by sisu from CTF team HXP and discovered by a member of Apple Security Engineering and Architecture (SEAR) during HXP CTF 2022,” the Google employee wrote.
It’s unclear why the Apple employee did not report the bug back in March.
Apple did not respond to a request for comment.
Google spokesperson Ed Fernandez told TechCrunch in an email that “our understanding is public in the bug.”
“We [recommend] reaching out to Apple for any further details,” Fernandez wrote.
TechCrunch wasn’t able to find a way to contact the CTF team — named COPY — whose member originally found the bug, nor the person named sisu.
It’s not uncommon for CTF teams and CTF players to find zero-days during competitions, especially in challenges of this type and competitions that are “high profile,” according to Filippo Cremonese, a researcher who participates in CTF competitions with the Italian team mhackeroni, which incidentally may be the best hacker team name ever.
What makes the story of this bug interesting is that it was apparently found by an Apple employee in a Google product, and — for some reason — that Apple employee decided not to report the bug.
In the original report on March 26, the person who reported it said that the bug was found by someone on the team COPY during a CTF organized by the team XHP. The person, whose name is not disclosed in the report, said they decided to report it even if they didn’t find it themselves because they were “not 100% sure it was reported to the chromium team.”
“So I wanted to be safe,” the person wrote.
“Since you are the one disclosing this issue and there are no duplicates, it seems that the team that discovered this issue has chosen not to disclose it to us?” the Google employee wrote in another comment to the bug report.
The bug was fixed on March 29, according to the bug report. Google decided to award $10,000 as a bug bounty to the person who reported it, who, again, was not the one who found it.