Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
macOS High Sierra Vulnerability Allegedly Allows Malicious Third-Party Apps to Access Plaintext Keychain Data
- Thread starter MacRumors
- Start date
- Sort by reaction score
No he's not kidding. Many apple fanatics subscribed to the belief that you shouldn't download apps outside of the app store onto your Macbook. How they manage to stick only to the app store is a mystery to me.
My thoughts exactly. I mean that would mean me uninstalling Parallels and M$ Office, which means if I insist on using a Mac, no job. Unbelievable!
Hi, patrick here! I contacted apple's product security team via email and text in early September (shortly after discovering the bug). I provided a detailed writeup and source code of a PoC exploit, and followed up with them after the submission. I understand that as this was 'shortly' before High Sierra's release, they were not able to release a patch on time. However, my understanding is a patch will be forthcoming
[doublepost=1506405232][/doublepost]
Though I reported the bug to Apple, as their bug bounty program is iOS only, I'll make $0.0 dollars.
I have no reason to believe it isn't you but, (no sarcasm), thanks for the update. I get the impression they've known about this anyway.Hi, patrick here! I contacted apple's product security team via email and text in early September (shortly after discovering the bug). I provided a detailed writeup and source code of a PoC exploit, and followed up with them after the submission. I understand that as this was 'shortly' before High Sierra's release, they were not able to release a patch on time. However, my understanding is a patch will be forthcoming
[doublepost=1506405232][/doublepost]
Though I reported the bug to Apple, as their bug bounty program is iOS only, I'll make $0.0 dollars.
[doublepost=1506406145][/doublepost]
Post number 205 for you. I think an apology is in order?
Seems like something Apple should definitely have been able to fix within the 90 day disclosure window (i.e from when they tell the affected company to when they disclose the vulnerability) used by responsible security researchers.
Because of this I'm going to hazard a guess and say that he intentionally held off revealing this and just went straight to the media the same way that guy who found a vulnerability in AT&T's iPad registration program where he could get the email addresses of everyone who owned an iPad trough AT&T. However unlike that stunt he's probably just going to be getting some fame and not actual jail time for revealing the email addresses and other sensitive personal information of Department of Defense staff.
But hey, in this world where narcissism is seen as a positive trait and not a serious personality flaw this kind of *******ry for attention is nothing new or unexpected.
Because of this I'm going to hazard a guess and say that he intentionally held off revealing this and just went straight to the media the same way that guy who found a vulnerability in AT&T's iPad registration program where he could get the email addresses of everyone who owned an iPad trough AT&T. However unlike that stunt he's probably just going to be getting some fame and not actual jail time for revealing the email addresses and other sensitive personal information of Department of Defense staff.
But hey, in this world where narcissism is seen as a positive trait and not a serious personality flaw this kind of *******ry for attention is nothing new or unexpected.
I remember when 'Installing software from outside the App Store' was known as 'Installing software'.
Of course, back then, people used to take a walk outside, go to the park, browse a bookstore, catch a movie, talk to each other, and do other wild, crazy, dangerous stuff like that.
Of course, back then, people used to take a walk outside, go to the park, browse a bookstore, catch a movie, talk to each other, and do other wild, crazy, dangerous stuff like that.
Hi, patrick here! I contacted apple's product security team via email and text in early September (shortly after discovering the bug). I provided a detailed writeup and source code of a PoC exploit, and followed up with them after the submission. I understand that as this was 'shortly' before High Sierra's release, they were not able to release a patch on time. However, my understanding is a patch will be forthcoming
If you got the information that a patch is forthcoming, wouldn't it have been better to perform a responsible disclosure and not publish the details before the patch is out? For after all, Apple had less than a month to react right before a major release, so it wouldn't be unreasonable to give them at least a full month.
This genuinely sucks. Apple should extend the bug bounty program to macOS as well. Findings like this one deserve a bounty.
I also don't update until the final release of the previous OS just before the latest version releases - but in this case, it doesn't matter - we're still vulnerable.
I buy Mac apps outside the MAS, but I never install unsigned Mac apps (i.e. “Allow apps downloaded from: App Store and identified developers”), and never from developers without a well-established reputation (which, for example, would exclude your fame-seeking friend).
Not a perfect system, necessarily, but good enough for 99.999% of all cases.
Last edited:
Hi, patrick here! I contacted apple's product security team via email and text in early September (shortly after discovering the bug). I provided a detailed writeup and source code of a PoC exploit, and followed up with them after the submission. I understand that as this was 'shortly' before High Sierra's release, they were not able to release a patch on time. However, my understanding is a patch will be forthcoming
So, assuming we can believe your timeline, that’s ~18 days? I’m sure your mom must be proud, but that’s not considered to be sufficient time to get a patch released when you’re documenting the exploit. Did you also tell their security team that you would be dumping the exploit on release day?
It would certainly be interesting to see the original, unaltered email chain (headers and all).
Nope. Bug bounties are about responsible disclosure, something Patrick doesn’t appear to know anything about.
Hi, patrick here! I contacted apple's product security team via email and text in early September (shortly after discovering the bug). I provided a detailed writeup and source code of a PoC exploit, and followed up with them after the submission. I understand that as this was 'shortly' before High Sierra's release, they were not able to release a patch on time. However, my understanding is a patch will be forthcoming
[doublepost=1506405232][/doublepost]
Though I reported the bug to Apple, as their bug bounty program is iOS only, I'll make $0.0 dollars.
Why did you disclose it so soon? (other than for attention, of course?).
If you're a security researcher, you are trying to prevent harm. What you've done is made hackers aware of a bug before you've given Apple a chance to fix it. Give yourself a nice pat on the back - I hope the media attention was worth it (and your loss of credibility).
[doublepost=1506418135][/doublepost]
Yep, I would hope Apple kicks him out of the iOS bounty program too.
This the perfect forum thread.
Loads of likes for people who keep posting "What a jerk for not telling Apple first".
He did. A month ago.
Loads of likes and smug posts of "See? This is why I didn't upgrade to High Sierra"
Sierra and earlier are also affected, so the upgrade makes no difference.
Both types of people are probably those who get angry at being asked to enter their password when installing some random virus checker or "speed up your Mac" software.
And then there are smug posts like mine! But at least I typed more
Loads of likes for people who keep posting "What a jerk for not telling Apple first".
He did. A month ago.
Loads of likes and smug posts of "See? This is why I didn't upgrade to High Sierra"
Sierra and earlier are also affected, so the upgrade makes no difference.
Both types of people are probably those who get angry at being asked to enter their password when installing some random virus checker or "speed up your Mac" software.
And then there are smug posts like mine! But at least I typed more
He said "early September". That's half a month at best.
There is such a thing called "Responsible Disclosure". Think of it like a gentleman's agreement to give companies enough time to push a fix before making the exploit public.
All he's done in disclosing this bug so soon is make "hackers" aware of it, giving them a chance to exploit it before Apple can fix it. You cannot expect Apple to be able to push a fix in 2 weeks this close to a major launch.
We probably won't see the entire contact chain, but I bet it goes something like:
"Hey Apple, I found this bug, what's the bounty?"
"Thanks, but we don't offer a bounty for MacOS bugs"
"OK, well screw it then, I'll take the media coverage instead"
[doublepost=1506420449][/doublepost]Lol, checked out his blog, found out why he's done it:
Q: Doesn't Apple have a bug bounty program to reward security researchers for reporting such nasty bugs?
A: Unfortunately Apple's bug bounty program does not cover macOS. As such, no reward for me. But cliche, as this sounds, I'll be stoked (as a fellow mac user) to know that once patched, macOS will be more secure. Plus your patron support more than makes up for Apple's parsimonious approach
Blog donations
Last edited:
You missed the bit about this NOT being a new vulnerability. Generally, it is safer to stay up to date. If you're running an OS that hasn't been patched for a year you will be exposing yourself to widely disseminated exploits.
Seems like I wasn't being clear enough. I was talking about macOS bug bounties in general and cases like that would indeed warrant a bounty, but like you said it should be rewarded only when disclosure is done responsibly.
That's not accurate. In the jargon of computer security, "Day Zero" is the day on which the interested party (presumably the vendor of the targeted system) learns of the vulnerability. Up until that day, the vulnerability is known as a zero-day vulnerability.
It doesn't matter how old the code is. All that matters is that the vulnerability has not been discovered.
As already disclosed, he made Apple aware of the bug in early September, shortly after discovering it. He didn't expose anyone. Apple did. He simply made the public aware of an unpatched bug.
See above. Did it ever occur to you that he may have waited until release day to see if Apple included a patch for the bug he reported to them? Since the patch wasn't included in the release, he did a service to users by making them aware of the flaw.
See above
He didn't release the exploit. He released information about the exploit, but did not release all the code required to implement it.
See above.
Yes, he did. See above.
He didn't publish any exploit; only information about it.
Last edited:
Riiight...because it is a single guy being a "jerk" and not sloppiness on the part of a near-Trillion dollar company.
From the article:
"Patrick Wardle, ex-NSA analyst and now head of research at security firm Synack, found the problem Monday, warning that it could allow anyone able to run malicious code on a Mac to pilfer passwords from the keychain."
And later in the article:
"Indeed, he's repeatedly shown how to execute attacks on Apple's operating system in recent years, and earlier this month highlighted problems in macOS High Sierra's "Secure Kernel Extension Loading" (SKEL) feature, which was designed to require user approval before third-party code ran at the kernel level of the operating system. Wardle showcased an attack on an unpatched and previously-unknown vulnerability (i.e. a "zero-day") that bypassed SKEL security."
Seems reasonable to conclude that he informed Apple prior to High Sierra being released... he certainly didn't keep it secret. As with every criticism of a beta of an operating system the response is, "give them a break, it's beta! They'll have time to fix it".