Yes it is. They're doing the same thing this guy is doing, but they're not telling anyone. The claim that he somehow just made things more dangerous is unlikely. And publicizing but not disclosing it to Apple is probably more effective at convincing them to institute a bug bounty program, which is his goal. We're talking about Apple's lack of a bounty program right now. Do you think we would be if he just wagged his finger at them? I doubt it. The discourse would be about the bug and its fix. It's actually quite smart of him.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
macOS Keychain Security Flaw Discovered by Researcher, but Details Not Shared With Apple Over Bug Bounty Protest
- Thread starter MacRumors
- Start date
- Sort by reaction score
Yes it is. They're doing the same thing this guy is doing, but they're not telling anyone. The claim that he somehow just made things more dangerous is unlikely. And publicizing but not disclosing it to Apple is probably more effective at convincing them to institute a bug bounty program, which is his goal. We're talking about Apple's lack of a bounty program right now. Do you think we would be if he just wagged his finger at them? I doubt it. The discourse would be about the bug and its fix. It's actually quite smart of him.
I'm kind of frustrated that people here are slamming him for wanting money but these same people will defend 1000$ iPhones.
I suspect there are a number of entities out there that would buy the info from the bug hunters. It makes sense to have one. Unless of course you are drinking your own koolaid ...
Last edited:
I will like to hear what the Tim lovers defenders have to say now
first the facetime bug , now this and I'm not bringing up all the old exploits from high sierra
that was a total disaster
I know guys, is not Tim's fault he doesn't write the software
he just approved anything and don't ask people to do it better
well after seeing this, is either stay off the grid or change all your passwords
many people will say don't download nothing unless is from the app store
that used to worked but now there are many things hidden even on those apps
by the time apple find out it might be a bit too late
I think the best thing is for Tim to go away
apple needs a strong leader a man who can say that is not good enough
sorry I can't accept that, do it better
Tim doesn't know how to get the best out of people
I know many don't want to hear this but is true
Steve was very good at this
first the facetime bug , now this and I'm not bringing up all the old exploits from high sierra
that was a total disaster
I know guys, is not Tim's fault he doesn't write the software
he just approved anything and don't ask people to do it better
well after seeing this, is either stay off the grid or change all your passwords
many people will say don't download nothing unless is from the app store
that used to worked but now there are many things hidden even on those apps
by the time apple find out it might be a bit too late
I think the best thing is for Tim to go away
apple needs a strong leader a man who can say that is not good enough
sorry I can't accept that, do it better
Tim doesn't know how to get the best out of people
I know many don't want to hear this but is true
Steve was very good at this
Tim is not going anywhere. If the number of bugs were the watershed of whether a ceo should stay or go, Microsoft would shut down.
When Apple raises the price, it's right thing to do.
When this happens, the researcher should to "the right thing" and let Apple know freely.
I would not. Apple being a greedy as hell company, I would also do my best to gain from them legally when a chance comes.
When this happens, the researcher should to "the right thing" and let Apple know freely.
I would not. Apple being a greedy as hell company, I would also do my best to gain from them legally when a chance comes.
I would like to stop using Keychain as it still has not fixed the Local Items folder bug but when I tried LastPass last year, the app caused my Macbook Pro to go into fan overdrive.
Also I don't want to pay for a password manager and I only need local access, I don't want the cloud.
Nobody asked him to perform the security test. He did this in his free time. Why the hell should he now blackmail Apple? Also, if he considers himself "good" hacker or "ethical" hacker, he disqualified himself by asking for any kind of money with this. If he wants to be paid by Apple, then he should submit CV and become their employee.
Yeah, but you'd have to take into account that house owner is Rockefeller who offers money to architects pointing out issues with his summer mansion but refuses to do so for his other buildings.
[doublepost=1549529442][/doublepost]
You have no idea what you're talking about. All it takes is offering semi-decent app that will be semi-popular and just sprinkle this functionality on top of it. That's how it's mostly done and this kind of app is called Trojan for a reason.
> but MAS protects me!
A lot of apps are offered outside of MAS, for example Coconut Battery which you'll find on 90% of all MacBooks.
> but doing this will take time
Yes it will, but people in that trade are patient. I bet some have apps prepared in advance waiting for some exploit to be discovered
> but I download only trusted apps!
The attacker hijacks webserver and replaces original app with his malicious one that is indistinguishable for regular Joe. It has happened in the past with uTorrent amongst many others, the most popular torrent client on the planet.
Last edited:
No, Apple are sending a clear message
There is a bug programme for iOS, but not one for Mac
They are letting high-end/professional Mac users know that despite their "We love the Mac" public messages they should start preparing for the Mac to be killed off
If your business can't run on iPad Pros then Apple doesn't care
Fair warning from Tim
The moral and ethical attitude of the security/bug researcher needs to be questioned because he already admitted knowing that Apple does not have a bug bounty for macOS so that begs the question, why was he searching for bugs in macOS in the first place.
My answer to that is he was looking for bugs in the hope that in finding one, inform the tech community he found a bug but not provide info to Apple so he can use it to exploit Apple into forcing them to introduce a Bug Bounty for macOS.
By refusing to give Apple info about the bug, all he has done is given hackers the heads up on where to start looking, the 'keychain'.
My answer to that is he was looking for bugs in the hope that in finding one, inform the tech community he found a bug but not provide info to Apple so he can use it to exploit Apple into forcing them to introduce a Bug Bounty for macOS.
By refusing to give Apple info about the bug, all he has done is given hackers the heads up on where to start looking, the 'keychain'.
I'd say this guy already gave Apple some free help by disclosing that there is a bug. Apple don't have to pay him but equally he doesn't have to tell them anything more for free.
I assume this guy makes a living bug hunting, I'm sure there would be other people willing to pay for the information if Apple won't. If I were in his position I'd have no problem selling that info to the highest bidder. It's not like he's dealing with a charity here. Doing things for free doesn't pay the mortgage.
I assume this guy makes a living bug hunting, I'm sure there would be other people willing to pay for the information if Apple won't. If I were in his position I'd have no problem selling that info to the highest bidder. It's not like he's dealing with a charity here. Doing things for free doesn't pay the mortgage.
That's a silly comment. Of course he is the owner of the system he hacked.
The guys knows macOS does not have a bug bounty therefore why was he bug searching in the OS that he knew would not get him any money?. This reeks of the guy having a ulterior motive for searching for macOS bugs, which is to blackmail Apple into introducing a bug bounty for macOS.
Point to the moon, the smart one will look at the moon, the "not so smart" will look at the finger!