Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
macOS Keychain Security Flaw Discovered by Researcher, but Details Not Shared With Apple Over Bug Bounty Protest
- Thread starter MacRumors
- Start date
- Sort by reaction score
He shouldn't be sued, but Apple is suing a company because they may at some point possibly come after them for patent fees. Litigation is not off the table here .
Another reason ***NOT*** to use Apple's Keychain for all your passwords!
Use a solution actually dedicated to doing it right, like 1Password or PasswordWallet by Selznick. For Apple, this stuff is just another half-baked feature add-on.
Because macOS just isn't really a priority anymore. They probably just never got around to implementing (or even thinking about) such a program for it, like they have for iOS.
Use a solution actually dedicated to doing it right, like 1Password or PasswordWallet by Selznick. For Apple, this stuff is just another half-baked feature add-on.
Because macOS just isn't really a priority anymore. They probably just never got around to implementing (or even thinking about) such a program for it, like they have for iOS.
You mean like every structural engineer who walks/bikes/drives past a dilapidated building? Hell, they even said "your building has serious problems"...they just didn't show you how to fix it.
So what that you never asked me to do it? I worked hard. Pay me.
[doublepost=1549602464][/doublepost]I am going to mow your lawn/shovel your driveway. I want $50.
So what that you never asked me to do it? I worked hard. Pay me.
Last edited:
Again we are not talking about who is better than what (it is actually also subjective) I was talking on the declining quality of Mac OS.
I keep failing to se the connection, I never spoke about Windows and Windows has nothing to do with Mac OS.
My statement was that compared to previews version the quality of MAC OS declined, and I stand by it.
Did Windows quality improve or decline? I do not care it was never part of my argument, and one improving / declining has no impact on the other.
P.S.
It's not the 90s anymore, let's get out of the Win / Mac thingy, been there done that, to each his / her own.
And, well, since you’re not willing to pay, I’m going to see to it you get a lot of bad publicity. So are you sure you don’t want to pay? Trust me, it’s in your best interest... I’m not doing this for my benefit, after all.
But that's what MacRumors is good for. Everyone here is a big proponent of the "but what about..."
Apple software is written by Apple. It's closed source. A researcher has found a bug and wants paying for it. Additionally, he would like a bug bounty program introduced for Mac. Not a bad idea. This is not extortion as no harm is being done to anyone's Mac and Apple's security researchers may be able to work this issue themselves. Apple's staff don't work for free (although it sometimes seems like it!)
And why exactly is Apple so unwilling to provide proper incentives for public security oversight that he has to resort to blackmailing them into it ?
They think their users are ignorant or that their PR is just so good that nobody cares about how stuff actually work?
keychain exploits are serious.
It's NOT unprofessional to research ZeroDayExploits, there is a whole industry living on it.
It's NOT unprofessional to NOT show your Exploit to Apple, there is a whole industry living on it.
It IS unprofessional to build in backdoors, it the above industry looking forward to it.
It IS unprofessional to not use open source in security sensitive matters, it the above industry looking forward to it.
And it is damn stupid to not have a bounty program for any industry selling code and security relevant hardware.
Every exploit has a market value, that value is NOT determined by the bounty reward, which is always less than the market value. Thumbs up for (NOT yet) handing the exploit to Apple.
It's NOT unprofessional to research ZeroDayExploits, there is a whole industry living on it.
It's NOT unprofessional to NOT show your Exploit to Apple, there is a whole industry living on it.
It IS unprofessional to build in backdoors, it the above industry looking forward to it.
It IS unprofessional to not use open source in security sensitive matters, it the above industry looking forward to it.
And it is damn stupid to not have a bounty program for any industry selling code and security relevant hardware.
Every exploit has a market value, that value is NOT determined by the bounty reward, which is always less than the market value. Thumbs up for (NOT yet) handing the exploit to Apple.
That is pure and utter nonsense. He hacked his own system.
Because nobody asked you or him to do anything? Is this some new SJW/far left nonsense ******** to force people and or companies into submission just because they feel they are entitled?
He does not.
Blackmailing would be if he threatens to release that information if Apple would not pay – which he ruled out. Doing otherwise would indeed put him into jail in Germany.
He just demonstrated that there is a vulnerability, and asks Apple to pay for more information (and not just this one time to him, but as a structural approach regarding the general issue).
This would create a legal market for vulnerabilities, and it would be in Apple's best interest to do it. And no, I would not consider this folding.
This story is spun in such a way as to measure the guy doing the research, as if he matters at all. He doesn't matter, and his bug probably doesn't matter that much at all, but what does matter is that Apple is not willing to give bug bounties to people that investigate bugs like this, and that it put's millions of macOS users at risk.
Personally i have noticed odd behaviours in many frameworks, sometimes security ones too but I did not investigate because it's hard work, and it feels like Apple simply doesn't care.
I don't know where you got the SJW thing from, generally expecting to get paid for the work you do by the people that benefit from it seems like a thing with broad political appeal, in any case there is no shortage of people that benefit from security flaws in not so healthy ways, i'm sure they would pay the guy if Apple is too drunk on it's own cool aid to budge.
Apple has chosen not to offer any bug bounty programs for OS X at this point. Nobody knows the reasoning behind that decision. Again it doesn’t mean that some guy can come and play basically entitled victim for something he wasn’t asked to do. End of story.
Nobody with half a brain would label him the victim, the victims are the people using the only major platform without a bug bounty program, which should be abundantly clear by now.
Remember Leopard? That was some laggy stubborn cat.
I don’t know what macOS (or OS X) you’re referring to, but memory gets blurry as time goes by.
I have several older macs lying around and I can assure you it takes some patience if you wanna get some stuff done on the last g5 iMac that was shipped with 10.4.
Since Mac OS 10 was released, there have been better and less good systems. Depending on user profile and personal needs.
I think Mojave is a pretty solid release. For me it’s very stable and it’s quite fast or ‘snappy’.
There is a legal basis for a preemptive lawsuit against a known patent troll that owns patents related to Apple’s products, and has a history of suing other companies like Apple. There’s no legal basis for a lawsuit against a private citizen who has no obligation or agreement or contract with Apple to force them to do something that they are not obligated to do. Anyone with only one year of law school would dismiss such a suit as frivolous and without basis. Apple is responsible to find their own flaws and fix them. The general public is under no obligation to improve Apple’s products.
In theory a keylogger would provide the same information over time, but in practice the information in keychain is going to contain realistically 1000 times the number of high quality passwords/line returned, at a fraction of a the speed it takes a keylogger to gather all it's spam. If you wanted to hack 1 guy, or 10 guy's a keylogger is probably fine providing you have as much time to read what they type as they spent typing it, but with keychain hack you can automate the whole thing, query for the passwords you have automated services running to hit automatically against unlimited number of users.
Of course. The key element in your statement is that they were able to run code on your system, which cannot be done unless you allow the code to be inserted, usually by installing a Trojan. Even in the discussed vulnerability, an exploit would have to be introduced to your system in a similar manner. Practicing safe computing is always a good idea, and will protect you against threats of this nature.
I'm pretty sure there are tools to automate the sifting through the data of a keylogger. You'd simply look for repeated strings that are not words, email addresses, URLs and you'll quickly get to passwords (if your target is a programmer, this might be more complicated but any decent hacking tools would have dictionaries for the common languages). And once you know the login password, you can use that to open the keychain yourself and get access to all its contents.
The question is what kind of access you need to install a keylogger (and phone home incl. sending a copy of the keychain to yourself) and what kind of access the exploit this thread is about needs. Since we don't know very much about the latter, this question cannot be answered at the moment.
[doublepost=1549652834][/doublepost]
Yeah, we don't know enough about this exploit to really know how dangerous it is.