Really? I think it's the best it's ever been and I've been using Macs since 1984. I love Mojave.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
macOS Keychain Security Flaw Discovered by Researcher, but Details Not Shared With Apple Over Bug Bounty Protest
- Thread starter MacRumors
- Start date
- Sort by reaction score
Really? I think it's the best it's ever been and I've been using Macs since 1984. I love Mojave.
food for thought... you need the computer password to download and save an application on MacOS.
Thank you, I wish the macrumors article would highlight this point.
[doublepost=1549489095][/doublepost]
CarlJ, maybe you can answer this, I had to create another Keychain folder because if you don't use ICloud, your Safari passwords get stored to a "Local Items" folder and you can't access them when upgrading to the latest MacOs.
I had to copy and paste each password into a new folder, problem solved, except now whenever I create a new Safari password, it won't save into the new folder, only the Local Items folder.
I will have to write those down on a piece of paper the next time I want to upgrade the OS.
Is there a way to force Safari to save new passwords to the folder of my choice?
Do you work for free? Should a security researcher work for free? I don’t think so. It’s unfortunate that Apple is not willing to pay for information regarding security risks. Even more so when such program is being implemented on iOS but not on Mac OS.
Apple should really give bounty on bugs found on Mac OS. Its strange they don't already. They can afford it.
Is this another example of Apple not giving two ***** about Mac computers?
Is this another example of Apple not giving two ***** about Mac computers?
Is he threatening to reveal it to others? That would be sleazy. But right now it's his proprietary information. There's nothing "sleazy" about withholding proprietary information.
That’s nonsense. Apple created macOS, Apple released macOS to the public, and only Apple benefits monetarily from macOS. Therefore as sole proprietor of macOS, only Apple can be responsible for macOS.
Feel free to spend your own time to find and report the bug to Apple, if you are so offended. The only party with an obligation to fix this problem is Apple.
When your security and privacy PR spin is so effective that you don't need a bug bounty program.
Uh, no. That's not the way security works.
If you're attacking a castle, you might not be able to reach the king's quarters by breaking a single set of bars, but those bars can get you into a food storage area, and nobody expects somebody to break out of a food storage area, so there's no protection on that side. So you easily escape into the area where the servants prepare meals. From there, you gain access to a special passage that leads to a staircase that the servants use to bring food directly to the king, and then enter the king's quarters.
It's the same way in computer security. Most attacks on computers are not caused by a single flaw. Rather, one flaw gains you access to something that you shouldn't have access to. Then, another flaw lets you go from that access level to a subsequent level. And so on.
For example, the user might hit a particular web page, and the content on that page might cause Safari to download a malicious library in the background. Then, the server might use an exploit in Safari's JavaScript engine to allow it to run a small snippet of arbitrary code that is just sufficient to inject that malicious library into the running Safari application process and then start running the malicious library code, which in turn does the actual extraction and sends the data back to the attacker.
All of this can happen without the user even being aware that it is happening, assuming the right combination of bugs exists, and unfortunately, guaranteeing that no remote code execution bugs exist is likely to be completely infeasible. That's why it is critical that the keychain work correctly and provide the security that it is supposed to provide, even against local attackers; it only takes one other vulnerability to turn a remote attacker into a local attacker.
Actually, that's arguably a better approach than telling them the details. If you've found a flaw, it means there is a flaw. But for all you know, there could be dozens of flaws. By not revealing which flaw, it forces them to dig in and give careful scrutiny to code that otherwise might not have been properly scrutinized, which has the potential to find more problems than just the one you're aware of.
Give a man a fish....
So, if you HAD not brought your car back to the dealer, and just lived with the problem, would THAT be unethical on YOUR part? What if you had told the car manufacturer "I'm going to keep this broken car and do nothing, unless you paid me a bonus"? Because that is the correct parallel to the situation in this thread.
Actually he already broke the german law by hacking the OS. Hacking it systems without prior ok from the owner is illegal in Germany. It's a criminal offence worthy of multiple years in prison...
If there's one thing I've learnt about Apple it's that they're definitely high off their own supply.
It is not the lack of a bounty he protests, it is the lack of a bug bounty program.
That's a great comparison because I'd expect to have to pay the person to explain how to fix the house properly. The solution involves their expertise that (no doubt) required several years of learning, training and experience to get to, along with their time to detail the fix.
That only seems fair, doesn't it?
That would indeed be unethical-- IF there were no actual design flaw. It would be fraud, in fact; which is not only unethical, but illegal.
But if there really is a flaw, then you are doing the homeowner, and his insurance company, a huge favor just by informing them of the existence of an unnamed problem.
Are you implying there really is no bug? That wouldn't matter-- a bug bounty program doesn't pay out unless a bug is verified.
[doublepost=1549490111][/doublepost]
Maybe you missed the subtle distinction between a reward just for him, and a bug bounty program that benefits everyone.
[doublepost=1549490508][/doublepost]
The Germany has a very weird idea of private property. The only thing he hacked was the specific instance of the OS sitting on his own desktop computer, which (we can assume) he owns. He did not hack anyone else's copy.
It's also interesting to hear that Germany has outlawed independent white hat security researchers. And also, counterproductive and highly unlikely.
They know they make mistakes. But only on iOS.
[doublepost=1549491101][/doublepost]
The dealer fixed it for free, but they paid the mechanic that actually did the work.
You are not paying for the bug to be fixed, but Apple should be.
Well, if the end result is Apple creates a bug bounty program, then i'd argue the first two points kinda counteract the second....
Pick up a dictionary.
He is under absolutely no obligation to show them anything. "Doing the right thing" doesn't put food on the table.
If Apple doesn't pay him, someone else more dangerous will.
Immature and childish is all I can say to describe Henze.
Well, I didn't try to extort money from the manufacturer, which would be silly. Ethics has nothing to do with it.
I didn't do any "work" to find these problems. Just because this guy did "work" does NOT entitle him to money, or a bounty program.
The guy who supposedly found a bug in the Keychain app is trying to extort money from Apple. That is unethical.
Apple has no obligation to pay this guy anything. They also have no obligation to open a bug program for macOS, just because this guy demands it.
Well, that’s an interesting logic, to say the least. You do realize he does not work for Apple, right? And that he performed a “job” knowing well that Apple does not pay for such task (macOS bug bounty)? Right?
So no, I do not work for free but if I performed a task, at my will, knowing that such job is not payed, then yes, I would be working for free.
We don't know that. For all we know, his Admin password is weak and this app is simply brute-forcing that to decrypt the keychain items. That would make sense given the time needed during the demo video.
He's conveniently making it sound like Apple's Keychain database has a flaw, but we don't have enough info to definitively draw that conclusion.
Do I work for free? No. But then I don't spend days, weeks or months working on a company's product when they have no idea I exist.
The researcher knew Apple did not offer a bounty, but invested the time anyway.
Now... having said that...
I think Apple should offer a bug bounty. It's a great way to attract the attention of these skilled researchers. But the security community surely has better ways of engaging with Apple than withholding information about a potentially critical bug. Since they offer one for iOS, Apple are clearly not against the principle.
If the bug has been found, it should be disclosed so that it can be fixed in order to protect millions of macOS users -- that's the right thing to do. Rewarding researchers for finding bugs is also the right thing to do.
That changes everything. Most people would be affected because the first user account created when setting up a Mac has Admin rights.
[doublepost=1549492725][/doublepost]
Yes, but that's likely irrelevant. Keychain has been around for 20+ years, and has always been encrypted. It's doubtful that recent versions of macOS have introduced a flaw that this guy is exploiting.
Is it time for Apple to raise the bar and use stronger encryption? Yes. I believe they still use 128-bit, but regardless of the level of encryption, if this guy is brute-forcing the Admin password to get access to the encrypted keychain database, then the actual strength of the encryption doesn't matter.
if he kept it quiet it would still be selfish, going public is criminal to me. I imagine there is a push to hack his system to learn details by people smarter and well funded. Then we users lose.Henze has not shared the details of this exploit with Apple and says that he won't release it because Apple has no bug bounty program available for macOS. "So blame them,"
This guy is a real class act.