macOS Keychain Security Flaw Discovered by Researcher, but Details Not Shared With Apple Over Bug Bounty Protest

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Feb 6, 2019.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    German security researcher Linus Henze this week discovered a new zero-day macOS vulnerability dubbed "KeySteal," which, as demoed in the video below, can be used to get to all of the sensitive data stored in the Keychain app.

    Henze appears to use a malicious app to extract data from the Mac's Keychain app without the need for administrator access or an administrator password. It can get passwords and other information from Keychain, as well as passwords and details for other macOS users.


    Henze has not shared the details of this exploit with Apple and says that he won't release it because Apple has no bug bounty program available for macOS. "So blame them," Henze writes in the video's description. In a statement to Forbes, Henze clarified his position, and said that discovering vulnerabilities takes time.
    Apple has a reward program for iOS that provides money to those who discover bugs, but there is no similar payment system for macOS bugs.

    According to German site Heise Online, which spoke to Henze, the exploit allows access to Mac Keychain items but not information stored in iCloud. Keychain is also required to be unlocked, something that happens by default when a user logs in to their account on a Mac.

    [​IMG]

    Keychain can be locked by opening up the Keychain app, but an admin password then needs to be entered whenever an application needs to access Keychain, which can be inconvenient.

    Apple's security team has reached out to Henze, according to ZDNet, but he has continued to refuse to provide additional detail unless they provide a bug bounty program for macOS. "Even if it looks like I'm doing this just for money, this is not my motivation at all in this case," said Henze. "My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers."

    This isn't the first Keychain-related vulnerability discovered in macOS. Security researcher Patrick Wardle demoed a similar vulnerability in 2017, which has been patched.

    Article Link: macOS Keychain Security Flaw Discovered by Researcher, but Details Not Shared With Apple Over Bug Bounty Protest
     
  2. Scottsoapbox macrumors 6502a

    Scottsoapbox

    Joined:
    Oct 10, 2014
    #2
    How does Apple not have a bug bounty program? Did they start believing their own marketing on Mac OS?
     
  3. GordonGekko999 macrumors 6502

    Joined:
    Mar 6, 2009
    #3
    Based on the limited information, does anybody have any ideas or theories as to how this could be delivered to your Mac?
     
  4. displaced macrumors 65816

    displaced

    Joined:
    Jun 23, 2003
    Location:
    Gravesend, United Kingdom
    #4
    Hmm.

    Are Bug Bounty rewards a good idea which provide incentive and reward to bug researchers? Yes. Should Apple have one for macOS? Most likely.

    Should a researcher withhold details on a discovered bug as a protest about the lack of a bounty? I don't think so. It seems both unprofessional and dangerous.
     
  5. anaudiopro macrumors 65816

    anaudiopro

    Joined:
    Mar 7, 2017
  6. AngerDanger macrumors 68040

    AngerDanger

    Joined:
    Dec 9, 2008
    #6
    Thank god! It was so time-consuming having to double FaceTime call people and wait for them to casually list their passwords as part of natural conversation.
     
  7. Mac Rules macrumors 6502

    Mac Rules

    Joined:
    Jul 15, 2006
    Location:
    Switzerland
    #7
    No bug bounty, they really are asking for trouble...
     
  8. nvmls, Feb 6, 2019
    Last edited: Feb 6, 2019

    nvmls macrumors 6502a

    nvmls

    Joined:
    Mar 31, 2011
  9. givemeanapple macrumors Demi-God

    givemeanapple

    Joined:
    Oct 2, 2016
    Location:
    Earth
    #9
    Another day, another security hole in the world of Apple.
     
  10. lostngone macrumors 65816

    lostngone

    Joined:
    Aug 11, 2003
    Location:
    Anchorage
    #10
    I understand that finding flaws isn't always an easy thing and can take highly educated/skilled people lots of time to find things like this however no one is forcing this guy to do it.

    This sounds a bit like extortion to me.
     
  11. Goompa macrumors member

    Goompa

    Joined:
    Oct 29, 2018
    #11
    It doesn’t surprise me. It’s been long time since Apple seemed to care about macOS.

    I’m happy for the researcher. Let’s put some pressure on the giant.
     
  12. roar08 macrumors regular

    roar08

    Joined:
    Apr 25, 2008
    #12
  13. iShater macrumors 604

    iShater

    Joined:
    Aug 13, 2002
    Location:
    Chicagoland
    #13
    I wasn't aware they did NOT have this program. :eek:
     
  14. roar08 macrumors regular

    roar08

    Joined:
    Apr 25, 2008
    #14
    Based on what? The convenience of opinionated vilification of a company for its size or success?
     
  15. dannyyankou macrumors 604

    dannyyankou

    Joined:
    Mar 2, 2012
    Location:
    Scarsdale, NY
    #15
    On one hand, Apple should have a big bounty program for macOS. On the other hand, this guy is being a bit of a, pardon my French, d-bag. Either way, Apple is slipping.
     
  16. spazzcat macrumors 68030

    spazzcat

    Joined:
    Jun 29, 2007
    #16
    There is no such thing as bug-free software.
     
  17. thefredelement macrumors 65816

    thefredelement

    Joined:
    Apr 10, 2012
    Location:
    New York
  18. CE3, Feb 6, 2019
    Last edited: Feb 6, 2019

    CE3 macrumors 65816

    Joined:
    Nov 26, 2014
    #18
    Extortion implies that not informing developers of bugs is illegal, which it isn’t of course. Apple has likely “reached out” to offer a reward, but he says his motivation is to use this as an opportunity to get a reward program in place for everyone. Good for him. it will probably happen now.

    Yes, no one forced him to find this vulnerability, but if you’re a macOS user you should be thankful that he did.
     
  19. eoblaed macrumors 68020

    eoblaed

    Joined:
    Apr 21, 2010
    #19
    Henze has not shared the details of this exploit with Apple and says that he won't release it because Apple has no bug bounty program available for macOS. "So blame them,"

    This guy is a real class act. :rolleyes:
     
  20. YaBe macrumors 6502a

    YaBe

    Joined:
    Oct 5, 2017
    #20
    Based on...have you seen Mac OS lately?? It was a nice is back in the days...now it is just...meh.
     
  21. kazmac macrumors 604

    kazmac

    Joined:
    Mar 24, 2010
    Location:
    On the silver scream
    #21
    Just saying:
    Perhaps the mounting security flaws that have popped up in macOS over the last 18 months? Not forgetting Apple actually dissolved the macOS team so they could work on iOS instead.
     
  22. TMRJIJ macrumors 68030

    TMRJIJ

    Joined:
    Dec 12, 2011
    Location:
    South Carolina, United States
    #22
    There’s not a single version of macOS that didn’t have a security flaw.
     
  23. Saipher macrumors demi-god

    Saipher

    Joined:
    Oct 25, 2014
    Location:
    CA
    #23
    So blackmailing is the solution than?
     
  24. JosephAW macrumors 68000

    JosephAW

    Joined:
    May 14, 2012
  25. Jimmdean macrumors 6502

    Joined:
    Mar 21, 2007
    #25
    I don't think this is accurate. My keychain is not automatically unlocked when I log in. I know every time i want to go into keychain or look up a saved password in Safari I get prompted for my local account password. I don't run around as admin though (which you shouldn't do anyway).
     

Share This Page