Researcher footnote: Github bug reports

Hello everyone, decided to do a not-quite a blog but too big for a tweet follow up on a finding from the other day. This is a pretty simple one. Applications such as telegram and other secure messaging tools make it necessary to use their own custom tooled keyboard and input methods. Why is this worth considering. Well the other day I was looking into ios keyboards and found that you can use custom keyboards now. The only problem, keyboards given full access could track your inputs similarly to keyloggers. Apple even warns you of such threats if you try to enable the feature.

While apple’s app store vetting is good, it isn’t bulletproof. Even worse, it appears standards for requiring keyboards per app for functionality like telegram’s can be spotty. Staying on theme, this wasn’t quite grounds for hackerone or bugcrowd’s programs for brave, so I filled out a bug report through github and am awaiting a response.

https://github.com/brave/brave-ios/issues/3573

Bug reports can contain security issues which might be leveraged for real world proof of concepts or attacks, so it’s a valuable resource to check if you’re looking into a bug bounty program.

Thanks all for now, stay safe!