macOS Keychain Security Flaw Discovered by Researcher, but Details Not Shared With Apple Over Bug Bounty Protest

[JGRE]

Henze appears to use a malicious app to extract data from the Mac's Keychain app without the need for administrator access or an administrator password.

You would need a pasword in order to open a newly installed (malicious) app and you would need user access to the mac to begin with. This is a BS item for a large extend.

 

[YaBe]

You didn't follow up with, "If Steve were alive..."

They do not need Steve to make good software, just more care.

Now if the Mac was still the main revenue generator for them, the story would still be very different, Steve or no Steve.

I do not think Apple was/is a one man show, and please do not put words in my mouth, if I intended to follow up with that sentence I would have

 

[Martius]

Public bug bounty program is essential for every bigger software company. Money = motivation. Apple seem to really believe they don't mistakes or what... ?

 

[Mcmeowmers]

Based on the limited information, does anybody have any ideas or theories as to how this could be delivered to your Mac?

Yes.

Also, the video could be faked - how do we know his app is actually loading data from the keychain and hasn't been hard coded?

 

[iVoid]

Extortion implies that not informing developers of bugs is illegal, which it isn’t of course.

Extortion doesn't have to be over something that is illegal. You could threaten someone to pay you or they'll tell your girlfriend that you're cheating on her. You cheating on your girlfriend isn't illegal, but the extortion is still immoral (and could be illegal in some cases).

I think the 'researcher' in this case is a little shady for not revealing the bug unless Apple pays him puts him in the 'bad hacker' category to me.

In general, I don't have a problem with bug bounty programs being offered, but a 'researcher' withholding bug info unless there is one is pretty sleazy.

 

[JPack]

HA!
It would be like telling someone their is a horrible design flaw in their house/building they live in and it could fall down at any moment. Then say I am not going to tell you unless you pay up.

It's nothing like that. You're comparing a product from a for-profit organization vs. a public safety issue.

 

[Mcmeowmers]

In full support of the researcher.
With the rise of MacOS, I am surprise MacOS bug bounty program weren't already in place.

Rise of macOS? Really? Better check the market share again

 

[thebroz]

A piece of the drivetrain in my car broke, causing a nasty racket when in motion. The dealer fixed it, for free, as it was a known defect. The first person who found this defect in their car did not get a bug bounty and neither did I.
My TV broke, and would not turn on. I returned it to the dealer, who replaced it. I did not receive a bug bounty.
A fan in my fridge failed, and I lost all the food in my fridge. The repairman told me it was a common problem. The dealer paid for the fix, under warranty. I did not get a bug boutny, nor did they compensate me for the lost food.

Technology has flaws. I don't expect someone to pay me for finding defects, unless I'm being paid under some contract like a bug bounty program. This guy did the work, with no contract. He does not deserve to be paid for work he wasn't asked to do. Withholding the method to reproduce this bug, and demanding something from Apple, is extortion.

I hope Apple developers discover and fix the bug this hoser found, and that he gets nothing. By holding the bug info hostage, he's putting millions of macOS users at unnecessary risk.

 

[djgamble]

I understand that finding flaws isn't always an easy thing and can take highly educated/skilled people lots of time to find things like this however no one is forcing this guy to do it.

This sounds a bit like extortion to me.

Agreed. Apple pays people a lot of money (i.e. full-time salaries) to find bugs.

Saying they MUST outsource it to unpaid, speculative bounty hunters is ridiculous. Yes Apple could follow Google's model and have everything in 'beta' with users encouraged to do the work of paid devs/testers for them. But like... why? I prefer the model of hiring people to do the work full-time.

If this is a legit hack (I have my doubts as he needs to be logged in and also needs to have allowed apps from unidentified devs so read between the lines... he already has admin access) then maybe Apple would offer him something anyway... if he approached them politely rather than brigading like this and trying to extort them.

 

[lkrupp]

Based on the limited information, does anybody have any ideas or theories as to how this could be delivered to your Mac?

The same way ALL current malware is delivered, by human engineering, phishing, scamming, preying on human stupidity. This s another exploit that requires physical access to your Mac and cannot be implemented remotely. In other words you have to be tricked into downloading the app and then running it on your machine.

 

[falainber]

Henze appears to use a malicious app to extract data from the Mac's Keychain app without the need for administrator access or an administrator password.

You would need a pasword in order to open a newly installed (malicious) app and you would need user access to the mac to begin with. This is a BS item for a large extend.

So, you are saying that Keychain is useless because the physical access and password protect the data well enough. Stupid Apple!

 

[JPack]

A piece of the drivetrain in my car broke, causing a nasty racket when in motion. The dealer fixed it, for free, as it was a known defect. The first person who found this defect in their car did not get a bug bounty and neither did I.
My TV broke, and would not turn on. I returned it to the dealer, who replaced it. I did not receive a bug bounty.
A fan in my fridge failed, and I lost all the food in my fridge. The repairman told me it was a common problem. The dealer paid for the fix, under warranty. I did not get a bug boutny, nor did they compensate me for the lost food.

Technology has flaws. I don't expect someone to pay me for finding defects, unless I'm being paid under some contract like a bug bounty program. This guy did the work, with no contract. He does not deserve to be paid for work he wasn't asked to do. Withholding the method to reproduce this bug, and demanding something from Apple, is extortion.

I hope Apple developers discover and fix the bug this hoser found, and that he gets nothing. By holding the bug info hostage, he's putting millions of macOS users at unnecessary risk.

None of the examples you provided make any sense. You didn't do any of the investigative steps to find the root cause or document how to recreate any of the defects.

 

[indychris]

Well, if Germany is willing to penalize Apple for disputes over AC/Intel patents, I sure hope they'd be willing to go after this guy for not revealing a critical vulnerability if there indeed is one.

 

[falainber]

Agreed. Apple pays people a lot of money (i.e. full-time salaries) to find bugs.

Saying they MUST outsource it to unpaid, speculative bounty hunters is ridiculous. Yes Apple could follow Google's model and have everything in 'beta' with users encouraged to do the work of paid devs/testers for them. But like... why? I prefer the model of hiring people to do the work full-time.

If this is a legit hack (I have my doubts as he needs to be logged in and also needs to have allowed apps from unidentified devs so read between the lines... he already has admin access) then maybe Apple would offer him something anyway... if he approached them politely rather than brigading like this and trying to extort them.

Apple not having a bounty program is a clear indication that they do not care about user security and put their own profits above all. I am not sure why you are OK with this. Then, of course, we know that this site is frequented by APPL shareholders so, perhaps, one should not be surprised.
[doublepost=1549486775][/doublepost]

Well, if Germany is willing to penalize Apple for disputes over AC/Intel patents, I sure hope they'd be willing to go after this guy for not revealing a critical vulnerability if there indeed is one.

To go after him for what exactly? For being smart? That's not a crime (even in USA).

 

[AlifTheUnseen]

So blackmailing is the solution than?

Well, call it what you want. I salute the researcher and hope this story gets into the upper echelon of Apple management. Sadly, from time to time, Apple needs a reminder from the outside to improve. Commercially, a bounty program is a win-win situation for both parties.

 

[indychris]

Apple not having a bounty program is a clear indication that they do not care about user security and put their own profits above all. I am not sure why you are OK with this. Then, of course, we know that this site is frequented by APPL shareholders so, perhaps, one should not be surprised.
[doublepost=1549486775][/doublepost]
To go after him for what exactly? For being smart? That's not a crime (even in USA).

Hiding a vulnerability is not "being smart;" it's putting people at risk.

 

[pat500000]

And no fix still with faceless time.

 

[tgwaste]

Even if it was just for money good on him. You dont need to do Apples job for them out of the kindness of your heart, this isnt a charity. Get every dollar you can out of them, they treat their customers the same.

 

[sunlit]

Based on what? The convenience of opinionated vilification of a company for its size or success?

Based on observation on numerous security holes discovered by users in the last years with ability to login without password crowning them all. All they do is milk the iPhone cow: Macs have been long left on the wayside, just look at the ridiculously priced pieces of unserviceable junk they call “pro” computers!

 

[1050792]

There is no such thing as bug-free software.

Sure there isn't, where's the price that justifies Apple Software then? Nowhere? I rest my case.

 

[rmrfkorea]

Mmmm I don't know, maybe because him being a Mac user is vulnerable to such issue, and so is everyone else? Also, maybe because it's the right thing to do? Well, I guess people don't really care about that anymore. No wonder things are the way they are in the world today. Before anyone says "Well, that's how he makes a living." He knew before hand that Apple does not offer a bug bounty for macOS so he should be investing his time finding bugs in iOS perhaps. Don't take me wrong, I do believe Apple should offer a bug bounty for macOS, but I don't think holding them "hostage" is the correct thing to do.

100% guarantee you don't work for free. right? exactly. point proven. lol.

 

[Gasu E.]

Mmmm I don't know, maybe because him being a Mac user is vulnerable to such issue, and so is everyone else? Also, maybe because it's the right thing to do? Well, I guess people don't really care about that anymore. No wonder things are the way they are in the world today. Before anyone says "Well, that's how he makes a living." He knew before hand that Apple does not offer a bug bounty for macOS so he should be investing his time finding bugs in iOS perhaps. Don't take me wrong, I do believe Apple should offer a bug bounty for macOS, but I don't think holding them "hostage" is the correct thing to do.

He's not holding them hostage. He didn't create the vulnerability.

 

[CarlJ]

Pro Tip: You can have multiple keychains, and when a password or cert is needed, macOS will automatically search all of them. Keep the passwords that are constantly needed (e.g. email server passwords for Mail.app) on the main keychain (unlocked at login), move everything else (more sensitive / less used passwords) off to another keychain (or two or three) and set those ones to locked-by-default and require user authentication at every use.

And, as mentioned by others, don't have your main login be an admin. Set up a separate admin login, and stay out of it. You'll be prompted for an admin login/password for things like installing new software in /Applications. This is a good thing.

 

[Val-kyrie]

This bug hunter is not dangerous nor is he an extortionist nor is he blackmailing Apple nor is he under any obligation to disclose his discovery. He is raising awareness by demonstrating a problem—a lack of a bug bounty program. If he had not found a serious bug, no one from Apple would take him seriously.

Hmm.

Are Bug Bounty rewards a good idea which provide incentive and reward to bug researchers? Yes. Should Apple have one for macOS? Most likely.

Should a researcher withhold details on a discovered bug as a protest about the lack of a bounty? I don't think so. It seems both unprofessional and dangerous.

I understand that finding flaws isn't always an easy thing and can take highly educated/skilled people lots of time to find things like this however no one is forcing this guy to do it.

This sounds a bit like extortion to me.

So blackmailing is the solution than?

 

[mikethemartian]

Hmm.

Are Bug Bounty rewards a good idea which provide incentive and reward to bug researchers? Yes. Should Apple have one for macOS? Most likely.

Should a researcher withhold details on a discovered bug as a protest about the lack of a bounty? I don't think so. It seems both unprofessional and dangerous.

Then there would be no bug bounties because the researchers would be doing the work for free. Unlike the programmers at Apple who get paid.