Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Bypass Flaw in Newly Released macOS Mojave Update Lets Hackers Access Protected Files
- Thread starter MacRumors
- Start date
- Sort by reaction score
I'm pretty sure he's sharing details with Apple immediately, and waiting till November to share it publicly.
This is false. The "researcher" is complaining about there being no bug bounty program for macOS in the video. He wanted to get paid for finding this bug and did not share it with Apple beforehand.
If this was shared with Apple during any of the betas they would have fixed it before release.
Software bugs and security flaws are constantly found. Waiting at least a couple months isn't going to change that.
Best course of action is to make sure your system is up to date.
Sounds like a perfectly acceptable solution. It's not like there's anyone who would want to use this new-fangled interwebz stuff on their Turing Mainframe Local Interface Terminal...
Sarcasm from the employees would imply knowledge of products other than iOS.
Microsoft: Zero Day Exploits
Apple: Day One Exploits
Both: Unacceptable
I'll stay with El Cap for now.
[doublepost=1537820426][/doublepost]
You paid for the software updates when you purchased the hardware.
Yeah, that's realistic /s
[doublepost=1537820578][/doublepost]
So why doesn't Apple offer a big bounty program for macOS like they do for iOS?
Apple: Day One Exploits
Both: Unacceptable
I'll stay with El Cap for now.
[doublepost=1537820426][/doublepost]
You paid for the software updates when you purchased the hardware.
Yeah, that's realistic /s
[doublepost=1537820578][/doublepost]
So why doesn't Apple offer a big bounty program for macOS like they do for iOS?
Yeah, I hate it when highly complex code isn't perfect. Good thing there's Windows. Oh wait......
Why would they? Look at their consumer base, it's pointless, they love beta testing.
Couldn’t he have shared this a day before it was released? Feel like a bit of a doughnut now that I’m half way through the update
https://www.bleepingcomputer.com/ne...bypass-flaw-allows-access-to-protected-files/
"He says that the zero-day vulnerability stems from the way Apple implemented the protections for various privacy-related data."
I thought this was a third party app installed to do this.. Why would Apple bundle their own OS with an app than can break its own OS? About 0.37 seconds in, he runs "./breakMojave.app" from Terminal
Last edited:
Yes, sure he did discover it today (with a three weeks old version of the Mojave beta, and wrote today a program that is able to exploit..)
In realty he waited for the release date, in the best case to get attention.... what does this guy do to make a living? create Ransomware??
In realty he waited for the release date, in the best case to get attention.... what does this guy do to make a living? create Ransomware??
Aloha Steve,
I order to protect Mac users I did not publish any technical details of the vulnerability. The video simply illustrates the impact of that flaw, and shows that contrary to Apple's claims, Mojave does not protect user data (in a sufficient way).
IMHO this is something important that Mac users should be made aware of (while yes, not providing any details that hackers could (ab)use to exploit the bug).
Aloha "Patrick"
If you really are who you say you are, (skeptical) then I have some words for you. You have shown that there is a vulnerability in a brand new feature of an operating system on release day. No doubt, you timed this information release with the consumer release. If you had posted this information a week ago, in the format that you did, I would not have posted such a scathing assessment of your motives. However instead you have diverted the publicity of the release of a brand new operating system to your address book security bypass exploit. Congratulations on your media storm, this serves nothing but yourself.
There are reasons why ethical security researchers post information to the public. Those reasons include:
Active exploitation (i.e. malware found in the wild)
Refusal from the vendor to fix a known vulnerability
Edit: Also to provide mitigation instructions, which you have not.
None of these cases are true, unless you can show us an email from Apple stating they do not consider what you did a vulnerability. There is no reason why you could not sit on your hands, or assist Apple in developing a fix (they pay double for this, in their insider program I will mention later) while Apple included their fix in 10.14.1 or 10.14.0.1. This has minimal risk of being actively exploited, especially since you obviously knew of this flaw during beta. The whole point of the beta program is for testers and professionals to find bugs and fix them before they go live. By posting in the format you did, all you have done is make the security industry look bad.
Apple does have a bug bounty program, they just offer it to researchers that have a track record with them. If you wanted to get paid for your vulnerabilities, either work with Apple to get on that list, or send your vulnerabilities to the Zero Day Initiative.
I ask you to question yourself if you really did this to help the public, or to draw attention to yourself. Thank you for reading my lengthy response.
Last edited:
I’ve been (partially) responsible for delivering about 300 websites and some of them have seen large scale testing. In almost every project there is a flaw that’s very obvious but isn’t discovered until the project is finished.
Nonetheless, the reality is that things can and still do get through.
[doublepost=1537833270][/doublepost]
This being reality.