Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
macOS Keychain Security Flaw Discovered by Researcher, but Details Not Shared With Apple Over Bug Bounty Protest
- Thread starter MacRumors
- Start date
- Sort by reaction score
Rise of macOS? Really? Better check the market share again
Actually I did. From Jan 2013 - Jan 2019. Mac OS may not have raise much, but it did. 7.xx% to 12.xx%
And Windows same period on the other hand went from 90.xx% to 75.xx%.
Since Windows 10 launch 2015 July - today 83.xx% - 75.xx%
Why should someone spend their time researching these issues and discovering them if they are not going to be compensated, what incentive is there? As it stands there's no guarantee their efforts will actually discover any bugs or exploits. If he just gives Apple the info, what incentive does Apple have to institute a bug bounty?
Extortion would be threatening to give it to someone else unless apple pays him. He's perfectly within his rights to withhold his research. I applaud him for putting apple's feet to the fire on this. A bug bounty program for MacOS will make everyone using the platform safer.
The user must be logged so a stolen Mac would not be vulnerable unless it was stolen while unlocked. This isn't really all that "Nasty"... just sloppy/bad.
Yet another indication of Apple's indifference towards the Mac. They treat it (willfully) as their red-headed stepchild, their black sheep.
No, I am staying that someone would need physical access to a Mac, would need to have the user password en manage to install a malicious app in order to get access to the keychain information, without the owner having a clue.
To me this is the same as saying, I allow me access to your house, I gave me the key and pointed out were I hide my sensitive information.
That is not a bug, but me being stupid.
He’s not asking just for money for himself, he’s asking for a bounty program for people like him.
It just doesn’t make sense that there is none. His behavior might seem a little radical but the flaw isn’t his fault, he just discovered it.
If you wanna maintain your house you have to pay for it, no matter whom you hire. Especially if you can’t do it yourself.
"Unprofessional"? This security researcher and Apple aren't exactly colleagues, now are they?
Apple is under no obligation to pay him either. He can sell it in black market if he wants, but it would only further prove his lack of moral standards.
What he is doing is a form of blackmail basically.
Just as unprofessional as not paying hard workers for the things they do right?
Maybe Apple should stop sending out updates every week or month and test the damn things properly first. Lately they are making more mistakes than great products. So very sad.
They don’t care about Mac too much anymore because it’s not a good source of profit.
Instead they focus on iPhones and iOS and try to force this limited and basic phone OS as desktop replacement.which in reality is a joke.
Seems like blackmail, but there should be a bounty program, at the very least. Hopefully do try something like that.
Sorry, where did you get the blackmailing bit from?
The way blackmailing usually works is “I do this thing that is damaging you if you don’t do something that pleases me”.
This guy is not threatening to do anything at all.
But that isn't the case, is it? This researcher does not work for Apple.
He started his research unasked and without any promise of payment -- and as many have pointed out, he apparently does not want paying anyway. He wants Apple to start a bug bounty programme for macOS. That's a really great idea. What I find worrying is that there is a severe, unpatched bug which could be fixed very quickly, but details of the bug are being used as leverage to get Apple to do something.
That 'something' -- the bounty -- is objectively a good idea. It's such a good idea that there must be a way of steering Apple towards it that doesn't involve leaving millions of users without a patch for a known bug. Hell, give Apple the info for this one and say that he won't look any further into macOS since he rightly wants to focus on bug-hunting for those companies which do offer bounties.
It's not dangerous or unprofessional, especially since he's disclosing that a vulnerability was found. Bad guys discover this kind of stuff all the time and don't say anything.
As there is currently no bounty programme, why should Apple pay him for his work? But this is a moot point really -- he doesn't seem to want payment anyway -- he wants a bounty programme put in place so future efforts will be rewarded.
But in the meantime, there is an actual, known, unpatched bug affecting millions which Apple could be fixing right now, but can't because a researcher wants to make their point.
Let's say he does this one for free. He can make it his choice (just as he chose to do this work before) not to look at macOS any further and instead concentrate on products which do have bounties.
This is Apple's incentive. To keep obviously talented researchers like him actively looking at macOS.
If there wasn't this bug here, right now, and we were instead just discussing 'should there be a bounty for macOS bugs?', I'd be right there with you saying, 'well, without one, what's the incentive?'. But there is this bug, right now. Help fix it and then sort out the bounty stuff, eh?
[doublepost=1549501072][/doublepost]
So 'the bad guys do it' is supporting evidence for it not being 'dangerous or unprofessional'?
The safe, professional approach is to disclose the details but tell Apple that you'll no longer work on macOS until a bounty programme is in place. Then, this *known* bug gets fixed and Apple gets the point that bounties would encourage better 3rd-party security research by the good guys.
You are probably right. The way I saw was either Apple pays him or he won’t tell Apple where the security flaw is, therefore leaving millions of Macs vulnerable.
If you're good at something, don't do it for free.
[doublepost=1549509715][/doublepost]
Lack of morals or need for labor to be paid for. You would probably be on the other side if this were Google.