macOS Keychain Security Flaw Discovered by Researcher, but Details Not Shared With Apple Over Bug Bounty Protest

[ArtOfWarfare]

Should a researcher withhold details on a discovered bug as a protest about the lack of a bounty? I don't think so. It seems both unprofessional and dangerous.

It might be a bit dangerous legally. If someone has their data compromised via this flaw, I could see things being contorted so this researcher is blamed.

I don't think it's at all unprofessional though. Refusing to provide details until there's a public document saying how much you and anyone else will be paid for the service is quite reasonable and professional. Actual professional companies do exactly this - demonstrate that you require their service, but then not provide it until they're paid. That he wants it to be an official policy makes it no less professional - honestly, it makes him more of a professional.

It's unprofessional of Apple to not immediately rectify the situation and put a bug bounty program in place.

 

[kakinc]

In full support of the researcher.
With the rise of MacOS, I am surprise MacOS bug bounty program weren't already in place.

 

[TMRJIJ]

Apple has a reward program for iOS that provides money to those who discover bugs, but there is no similar payment system for macOS bugs.

Why do they not have a bounty program for macOS but have one for iOS? MacOS is much more complex and harder to sweep through.

 

[Goompa]

Based on what? The convenience of opinionated vilification of a company for its size or success?

It was my opinión, based on a comparison between iOS and macOS updates.

 

[mrex]

So blackmailing is the solution than?

blackmailing?

why should he give it for free to apple... or to anyone?

 

[twistedpixel8]

Based on the limited information, does anybody have any ideas or theories as to how this could be delivered to your Mac?

I have lots of apps that use Keychain to store passwords and never require my password to use them (even after reboots). They seem to be able to *use* the passwords, but not view them. I imagine it requires a special UIKit password element or something to utilize this functionality. I’m guessing this malicious app requests the password, sends it somewhere via this password field (potentially an HTTP POST request) which then just returns the posted password to the app.

It’s probably a bit more complex but I’m betting that’s not far off.

Edit: clarification

Edit2: actually, looking at how the Keychain API works, I think only apps which have the correct ACL (Access Control List) entry are able to request passwords that weren’t saved using that app. Might be an ACL exploit then.

 

[cuwickliffe]

"Even if it looks like I'm doing this just for money, this is not my motivation at all in this case," said Henze.

Translation: I'm not doing this for the money.

"My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers."

Translation: But I'm doing it for the money.

 

[adamdport]

Hacking's an art, artists deserve to be paid. Program or not, I'd imagine Apple will work something out and compensate the guy for the info. He didn't make any threats—just has an idea to improve their product and is willing to sell it.

 

[glowplug]

A bunch of Apple software engineers are going to be busy for the foreseeable future.

 

[Kabeyun]

Based on the limited information, does anybody have any ideas or theories as to how this could be delivered to your Mac?

I have the same question. So far all we know is that this works while logged in on his account on his Mac.

 

[justperry]

I don't think this is accurate. My keychain is not automatically unlocked when I log in. I know every time i want to go into keychain or look up a saved password in Safari I get prompted for my local account password. I don't run around as admin though (which you shouldn't do anyway).

It is unlocked, how else can Safari or any other App fill in passwords without your input.
If you install macOS or new mac out of the box you are automatically the Admin.

 

[Saipher]

blackmailing?

why should he give it for free to apple... or to anyone?

Mmmm I don't know, maybe because him being a Mac user is vulnerable to such issue, and so is everyone else? Also, maybe because it's the right thing to do? Well, I guess people don't really care about that anymore. No wonder things are the way they are in the world today. Before anyone says "Well, that's how he makes a living." He knew before hand that Apple does not offer a bug bounty for macOS so he should be investing his time finding bugs in iOS perhaps. Don't take me wrong, I do believe Apple should offer a bug bounty for macOS, but I don't think holding them "hostage" is the correct thing to do.

 

[emvath]

If Apple doesn't want to pay for security holes, there will be other (more nefarious) groups that will pay.

 

[JPack]

Not even a $1 payment, yet Apple buys 50 business class airline seats every day.

 

[cfurlin]

Based on...have you seen Mac OS lately?? It was a nice is back in the days...now it is just...meh.

You didn't follow up with, "If Steve were alive..."

 

[twistedpixel8]

I don't think this is accurate. My keychain is not automatically unlocked when I log in. I know every time i want to go into keychain or look up a saved password in Safari I get prompted for my local account password. I don't run around as admin though (which you shouldn't do anyway).

Admin != root

Admin is simply a sudoer in macOS. No different to being a sudoer in any other Unix distro.

 

[JPack]

Mmmm I don't know, maybe because him being a Mac user is vulnerable to such issue, and so is everyone else? Also, maybe because it's the right thing to do? Well, I guess people don't really care about that anymore. No wonder things are the way they are in the world today. Before anyone says "Well, that's how he makes a living." He knew before hand that Apple does not offer a bug bounty for macOS so he should be investing his time finding bugs in iOS perhaps. Don't take me wrong, I do believe Apple should offer a bug bounty for macOS, but I don't think holding them "hostage" is the correct thing to do.

Nobody is holding anyone hostage. The security researcher isn't threatening to release the details if Apple doesn't pay up.

 

[Sasparilla]

If Apple doesn't want to pay for security holes, there will be other (more nefarious) groups that will pay.

Appears the researcher wants to fix that unbalanced situation (or at least reduce the imbalance).

 

[emvath]

Mmmm I don't know, maybe because him being a Mac user is vulnerable to such issue, and so is everyone else? Also, maybe because it's the right thing to do? Well, I guess people don't really care about that anymore. No wonder things are the way they are in the world today. Before anyone says "Well, that's how he makes a living." He knew before hand that Apple does not offer a bug bounty for macOS so he should be investing his time finding bugs in iOS perhaps. Don't take me wrong, I do believe Apple should offer a bug bounty for macOS, but I don't think holding them "hostage" is the correct thing to do.

I disagree. I think "the right thing to do" here is is for Apple to offer a generous and fair bug bounty. As you said this guy is a Mac user and he knows that Apple isn't doing the right thing by not offering a bounty. As such both he and others may be subject to flaws that could have been found if there was such a bounty. What this guy did was force Apple's hand (well trying to anyways) to improve security for all. I argue that he isn't holding it hostage for money, he is holding it hostage to force Apple to implement a bounty program that will benefit millions.

 

[justperry]

Not even a $1 payment, yet Apple buys 50 business class airline seats every day.

What does this have to do with the issue at hand.

 

[CE3]

You didn't follow up with, "If Steve were alive..."

And “Tim Cook needs to go”

 

[lostngone]

Nobody is holding anyone hostage. The security researcher isn't threatening to release the details if Apple doesn't pay up.

HA!
It would be like telling someone their is a horrible design flaw in their house/building they live in and it could fall down at any moment. Then say I am not going to tell you unless you pay up.

 

[dman22]

What does this have to do with the issue....

It’s a red herring... One has nothing to do with the other. But because Apple spends X amount of money to allow their employees to do Y job, the mere fact that Apple spends money on transportation for their employees somehow shows that they are “wasting” their money instead of having a bug bounty program for the Mac. It’s ridiculous. Oh and btw, I do think Apple should expand their Bug Bounty Program to their other operating systems but using the fact that Apple spends money to provide transportation to their employees is a straight up straw-man and is just plain stupid.

 

[calzon65]

Since Apple is paying their software engineers, who created vulnerability, they should pay other professionals who uncover the vulnerability.

 

[udayan81]

What does Apple care about these days other than their dropping Iphone sales.