macOS Keychain Security Flaw Discovered by Researcher, but Details Not Shared With Apple Over Bug Bounty Protest

Discussion in ' News Discussion' started by MacRumors, Feb 6, 2019.

  1. Wando64 macrumors 6502


    Jul 11, 2013
    Sued for what?
    He didn’t make the vulnerability. Honestly people, get a grip.
  2. GGJstudios macrumors Westmere


    May 16, 2008
    He can't be sued. No one other than employees have any obligation to report flaws in Apple's software. It's not unprofessional to want to be compensated for work done. There are plenty of vulnerabilities in all software. That is no guarantee that an exploit will be developed for any particular vulnerability, or that an exploit would be released into the wild. Most vulnerabilities are discovered and patched before anyone exploits them, as will likely be the case here, even if Apple doesn't pay a bounty.
  3. groovyd macrumors 65816


    Jun 24, 2013
    ah, but actually there is...

    int main() { return 0; }
  4. Michael Goff macrumors G5

    Michael Goff

    Jul 5, 2012
    He shouldn't be sued, but Apple is suing a company because they may at some point possibly come after them for patent fees. Litigation is not off the table here .
  5. SteveW928 macrumors 65816


    May 28, 2010
    Victoria, B.C. Canada
    Another reason ***NOT*** to use Apple's Keychain for all your passwords!

    Use a solution actually dedicated to doing it right, like 1Password or PasswordWallet by Selznick. For Apple, this stuff is just another half-baked feature add-on.

    Because macOS just isn't really a priority anymore. They probably just never got around to implementing (or even thinking about) such a program for it, like they have for iOS.
  6. pubb, Feb 7, 2019
    Last edited: Feb 7, 2019

    pubb macrumors member

    Mar 13, 2007
    You mean like every structural engineer who walks/bikes/drives past a dilapidated building? Hell, they even said "your building has serious problems"...they just didn't show you how to fix it.

    --- Post Merged, Feb 7, 2019 ---
    I am going to mow your lawn/shovel your driveway. I want $50.

    So what that you never asked me to do it? I worked hard. Pay me.

  7. YaBe macrumors 6502a


    Oct 5, 2017
    Again we are not talking about who is better than what (it is actually also subjective) I was talking on the declining quality of Mac OS.
    I keep failing to se the connection, I never spoke about Windows and Windows has nothing to do with Mac OS.

    My statement was that compared to previews version the quality of MAC OS declined, and I stand by it.

    Did Windows quality improve or decline? I do not care it was never part of my argument, and one improving / declining has no impact on the other.

    It's not the 90s anymore, let's get out of the Win / Mac thingy, been there done that, to each his / her own.
  8. PickUrPoison macrumors 68030

    Sep 12, 2017
    Sunnyvale, CA
    And, well, since you’re not willing to pay, I’m going to see to it you get a lot of bad publicity. So are you sure you don’t want to pay? Trust me, it’s in your best interest... I’m not doing this for my benefit, after all.
  9. Michael Goff macrumors G5

    Michael Goff

    Jul 5, 2012
    But that's what MacRumors is good for. Everyone here is a big proponent of the "but what about..."
  10. architect1337 macrumors member

    Sep 11, 2016
    Apple software is written by Apple. It's closed source. A researcher has found a bug and wants paying for it. Additionally, he would like a bug bounty program introduced for Mac. Not a bad idea. This is not extortion as no harm is being done to anyone's Mac and Apple's security researchers may be able to work this issue themselves. Apple's staff don't work for free (although it sometimes seems like it!)
  11. Hanson Eigilson macrumors regular

    Sep 19, 2016
    And why exactly is Apple so unwilling to provide proper incentives for public security oversight that he has to resort to blackmailing them into it ?
    They think their users are ignorant or that their PR is just so good that nobody cares about how stuff actually work?
  12. BlunaLuna macrumors newbie

    Jan 23, 2019
    keychain exploits are serious.
    It's NOT unprofessional to research ZeroDayExploits, there is a whole industry living on it.
    It's NOT unprofessional to NOT show your Exploit to Apple, there is a whole industry living on it.
    It IS unprofessional to build in backdoors, it the above industry looking forward to it.
    It IS unprofessional to not use open source in security sensitive matters, it the above industry looking forward to it.

    And it is damn stupid to not have a bounty program for any industry selling code and security relevant hardware.

    Every exploit has a market value, that value is NOT determined by the bounty reward, which is always less than the market value. Thumbs up for (NOT yet) handing the exploit to Apple.
  13. Kilibee macrumors newbie


    Oct 12, 2016
    That is pure and utter nonsense. He hacked his own system.
  14. Heineken macrumors 6502a


    Jan 27, 2018
    Because nobody asked you or him to do anything? Is this some new SJW/far left nonsense ******** to force people and or companies into submission just because they feel they are entitled?
  15. Kilibee macrumors newbie


    Oct 12, 2016
    He does not.

    Blackmailing would be if he threatens to release that information if Apple would not pay – which he ruled out. Doing otherwise would indeed put him into jail in Germany.

    He just demonstrated that there is a vulnerability, and asks Apple to pay for more information (and not just this one time to him, but as a structural approach regarding the general issue).

    This would create a legal market for vulnerabilities, and it would be in Apple's best interest to do it. And no, I would not consider this folding.
  16. Hanson Eigilson macrumors regular

    Sep 19, 2016
    This story is spun in such a way as to measure the guy doing the research, as if he matters at all. He doesn't matter, and his bug probably doesn't matter that much at all, but what does matter is that Apple is not willing to give bug bounties to people that investigate bugs like this, and that it put's millions of macOS users at risk.
    Personally i have noticed odd behaviours in many frameworks, sometimes security ones too but I did not investigate because it's hard work, and it feels like Apple simply doesn't care.
    I don't know where you got the SJW thing from, generally expecting to get paid for the work you do by the people that benefit from it seems like a thing with broad political appeal, in any case there is no shortage of people that benefit from security flaws in not so healthy ways, i'm sure they would pay the guy if Apple is too drunk on it's own cool aid to budge.
  17. Heineken macrumors 6502a


    Jan 27, 2018
    Apple has chosen not to offer any bug bounty programs for OS X at this point. Nobody knows the reasoning behind that decision. Again it doesn’t mean that some guy can come and play basically entitled victim for something he wasn’t asked to do. End of story.
  18. Baymowe335 Suspended

    Oct 6, 2017
    Yeah, exactly the same thing.

    $1,000 is not an Apple only thing, btw.
  19. Hanson Eigilson macrumors regular

    Sep 19, 2016
    Nobody with half a brain would label him the victim, the victims are the people using the only major platform without a bug bounty program, which should be abundantly clear by now.
  20. flygbuss macrumors 6502


    Jul 22, 2018
    Stockholm, Sweden
    Remember Leopard? That was some laggy stubborn cat.
    I don’t know what macOS (or OS X) you’re referring to, but memory gets blurry as time goes by.
    I have several older macs lying around and I can assure you it takes some patience if you wanna get some stuff done on the last g5 iMac that was shipped with 10.4.
    Since Mac OS 10 was released, there have been better and less good systems. Depending on user profile and personal needs.
    I think Mojave is a pretty solid release. For me it’s very stable and it’s quite fast or ‘snappy’.
  21. Helpfixit macrumors member

    Mar 31, 2015
  22. manu chao macrumors 603

    Jul 30, 2003
    Stupid question: If somebody has managed to run code on your system, wouldn't it always be possible to install a keylogger and wait until somebody types in their (login) password and crack the keychain that way?
  23. GGJstudios macrumors Westmere


    May 16, 2008
    There is a legal basis for a preemptive lawsuit against a known patent troll that owns patents related to Apple’s products, and has a history of suing other companies like Apple. There’s no legal basis for a lawsuit against a private citizen who has no obligation or agreement or contract with Apple to force them to do something that they are not obligated to do. Anyone with only one year of law school would dismiss such a suit as frivolous and without basis. Apple is responsible to find their own flaws and fix them. The general public is under no obligation to improve Apple’s products.
  24. Hanson Eigilson macrumors regular

    Sep 19, 2016
    In theory a keylogger would provide the same information over time, but in practice the information in keychain is going to contain realistically 1000 times the number of high quality passwords/line returned, at a fraction of a the speed it takes a keylogger to gather all it's spam. If you wanted to hack 1 guy, or 10 guy's a keylogger is probably fine providing you have as much time to read what they type as they spent typing it, but with keychain hack you can automate the whole thing, query for the passwords you have automated services running to hit automatically against unlimited number of users.

Share This Page