Lingo

🚨APPLE ADVERTISES $2 MILLION FOR FINDING SECURITY BUGS.. THEN CALLS YOUR DISCOVERY A "DUPLICATE".. PATCHES IT SILENTLY.. GIVES YOU NOTHING.. AND BANS YOUR APPLE ID IF YOU COMPLAIN.. Two researchers found a critical macOS vulnerability that let attackers steal passwords, encrypted chats, and Safari data through Archive Utility.. Submitted it October 2025.. Apple took 5 months.. Patched it with zero credit.. Zero CVE.. Zero bounty.. Their reason.. "You were not the first person to report this issue".. That's the duplicate loophole.. Apple claims an internal engineer found it first.. But researchers can't verify that.. Apple controls the tracking system.. No audit.. No appeals.. The researcher said it felt like "doing charity work for a $3 trillion company".. Another researcher found apps could access your entire photo library even after you turned off access in settings.. Apple's own page lists that at $50,000.. They reported it.. Apple went silent.. Patched it quietly.. Said it was a duplicate.. $0.. When the researcher blogged about it.. Apple permanently banned their 12-year-old Apple ID.. Apple's brand new Passwords app in iOS 18 was sending data over unencrypted HTTP.. A credential manager transmitting password reset links in plaintext.. Any attacker on the same WiFi could intercept them.. Researchers reported it.. Apple let it sit 3 months.. Patched it quietly.. Said it "didn't meet the impact criteria".. Then there's the FaceTime disaster.. A 14-year-old discovered you could eavesdrop on anyone's iPhone.. Start a FaceTime call.. Add your own number before they answer.. Their microphone turns on.. If they hit the volume button.. Their camera activates too.. His mother spent a week trying to tell Apple.. Emails.. Faxes.. Social media.. Support told her to pay $99 for a developer account to file a bug report.. Apple did nothing until the exploit went viral and millions started eavesdropping on each other.. Then they panicked.. Took FaceTime offline globally.. Congress sent formal letters to Tim Cook demanding answers.. Then there's the researcher who got so fed up being ignored that they hacked Apple's own internal daily security call.. They'd reported a zero-click iMessage vulnerability.. Apple stonewalled them.. So they found another flaw.. Used it to infiltrate the internal FaceTime call where Apple engineers discuss bugs.. And dropped a screenshot proving the exploit live.. The team securing 2.35 billion devices couldn't secure their own meeting.. Apple's response.. A threatening legal letter.. Not a bounty.. A legal threat.. This is why the exploit black market thrives.. A zero-click iPhone exploit sells for $1.5 to $2.5 million on the gray market.. Guaranteed payment.. No bureaucracy.. No "duplicate" risk.. Submitting to Apple means NDAs.. 6-12 months of waiting.. Risk of $0.. Risk of your Apple ID being banned if you speak up.. Those gray market exploits end up with mercenary spyware vendors like NSO Group.. Deployed against journalists and human rights lawyers worldwide.. Apple pushes researchers toward the black market.. Then spends billions defending against the exploits those researchers could have sold them for a fraction of the price.. 2.35 billion devices.. And the company would rather send lawyers than pay what they owe.

‼️🚨 Malicious actors can now use your SSD's activity, just by getting you to open their website, to spy on which other sites you're browsing and which apps you're running. The attack, called FROST, is accurate: 88.95% on identifying websites, 95.83% on identifying applications. It works on macOS and Linux, across browsers, and runs entirely in JavaScript. The browser makers were told, and largely shrugged. Chromium says fingerprinting isn't a security bug. Apple called it out of scope. Mozilla acknowledged it and shipped nothing. Researchers at Graz University of Technology developed the attack. It abuses the Origin Private File System, a browser feature that lets sites store files on your disk without asking. The attack creates one huge file, then constantly times how fast it can read from it. When you open another tab or launch an app, that activity competes for the same SSD, and the tiny changes in read speed leak what you're doing. A trained neural network turns those timing patterns into guesses about which site or app it is.