Maybe he's a Mac user and he was looking as a little side project? Doesn't matter, the fact is he's potentially found something but now has no avenue to pass that info to Apple unless he gives it to them for free and undermines the value of his time.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
macOS Keychain Security Flaw Discovered by Researcher, but Details Not Shared With Apple Over Bug Bounty Protest
- Thread starter MacRumors
- Start date
- Sort by reaction score
If you had taken the time to read the original article, you will have noticed that the man in question is a German security researcher who designed his own malicious app to extract the contents of the 'keychain'. This is not the actions of a 'Mac user looking for a little side project' but the actions of someone specifically going out of their way to find something, in this case, software bugs in macOS.
He put his time and effort into finding the bug, designing his own app to exploit the bug all whilst knowing full well there is no bug bounty that would financially reimburse him for his efforts, but he carried on anyway. This therefore implies his intentions where not honorable and thus this was proven when he said he would not release his research to Apple until they introduce a bug bounty for macOS.
It's blackmail, pure and simple.
Extortion would be to ask them directly for a payment, for the specific bug.
He asked for a general bug bounty program, which should already exist in an OS and company the size of Apple.
Same thing with Windows. These companies seriously need to stop with these yearly updates. Wait 2-3 years like the old days and get the OS in good shape.
The default behavior of any user account is to unlock the Login Keychain when you login. The Login Keychain or any other Keychain can be set to a different password than what you use at login.
[doublepost=1549550125][/doublepost]It's incorrect to say an Administrator password is needed to unlock the Keychain. Typically an Administrator account can only unlock the Keychain for their own account. A Standard User has their own Keychain and they do not need an administrator account to unlock their own keychain.
Last edited:
Well the article appears to be in German so, yeah I didn't read it. Still could have been poking around just as a side project though. You know, just for the sake of learning and being inquisitive.
What are you talking about? He is the guy that jumps in front of a car and starts cleaning your windshield and then demands to be paid. Nobody asked for it. End of story.
Yes.
Maybe if he wants to. Or otherwise not do such "work" if there is no market, i.e. nobody offering a bounty program.
On a side note the dealer didn't fix it for free they're reimbursed by the manufacturer..
---
Maybe this carrot will be enough to start a program they're really isn't a reason not to have one for any commercial software.
and then pretty soon all you have is the "nefarious" folk looking for these to sell and/or use.
That, from Apple's side is pretty Darwinistic.
This is essentially a "proof of concept" exploitation of a macOS vulnerability, so it's not "in the wild" where your Mac could be affected. It would most likely be delivered via a Trojan, which would require your action to be installed. So just be careful about what you install.
Another day, another security hole in every single operating system and app in the world. It's not just Apple. Every software app has flaws.
There is no security disadvantage in running on an admin account. That's ancient thinking.
Nope, based on the fact that Apple cannot IMO have more than 1.5 employees involved in updating Mac Cocoa APIs. How do I know? Because using Cocoa on macOS is like programming in the stone-age compared to UIKit APIs. Everyone that is anyone at Apple works on iPhone not Mac. Mac is on life support and there seems to be, based on Apple's development progress, a concentrated effort to kill off Cocoa, or convert everyone to iOS.
Then I'm sure you won't mind if he doesn't tell how to reproduce the issue.
Thanks GGJ, can you explain the admin account, zero advantages to using the internet on a non-Admin account? I have read so many articles over the years that recommended to create a non-Admin account to conduct all of your internet activities.
The connection is that apparently macOS is "still better than Windows" or whatever "so what" statement they're going to make.
Here's a 10-year old article that discusses the different account types, and even that article states there's no risk in running an admin account. Regardless of the account type, you should be careful when entering your password to install apps or give them permission to do certain things. In other words, think before you act.
I think if bug bounty hunters really focused on the security vulnerabilities of macs, there would be an overwhelming number of exploits discovered. It's the only reason why they don't have a bug bounty.
[doublepost=1549576054][/doublepost]Apple is in a tough position and will likely fold and pay the bounty as they should. Their other option is facing the many lawsuits that pop-up any time there is a vulnerability.
[doublepost=1549576054][/doublepost]Apple is in a tough position and will likely fold and pay the bounty as they should. Their other option is facing the many lawsuits that pop-up any time there is a vulnerability.
He can't be sued. No one other than employees have any obligation to report flaws in Apple's software. It's not unprofessional to want to be compensated for work done. There are plenty of vulnerabilities in all software. That is no guarantee that an exploit will be developed for any particular vulnerability, or that an exploit would be released into the wild. Most vulnerabilities are discovered and patched before anyone exploits them, as will likely be the case here, even if Apple doesn't pay a bounty.