macOS Keychain Security Flaw Discovered by Researcher, but Details Not Shared With Apple Over Bug Bounty Protest

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Feb 6, 2019.

  1. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #201
    Of course. The key element in your statement is that they were able to run code on your system, which cannot be done unless you allow the code to be inserted, usually by installing a Trojan. Even in the discussed vulnerability, an exploit would have to be introduced to your system in a similar manner. Practicing safe computing is always a good idea, and will protect you against threats of this nature.
     
  2. manu chao macrumors 603

    Joined:
    Jul 30, 2003
    #202
    I'm pretty sure there are tools to automate the sifting through the data of a keylogger. You'd simply look for repeated strings that are not words, email addresses, URLs and you'll quickly get to passwords (if your target is a programmer, this might be more complicated but any decent hacking tools would have dictionaries for the common languages). And once you know the login password, you can use that to open the keychain yourself and get access to all its contents.

    The question is what kind of access you need to install a keylogger (and phone home incl. sending a copy of the keychain to yourself) and what kind of access the exploit this thread is about needs. Since we don't know very much about the latter, this question cannot be answered at the moment.
    --- Post Merged, Feb 8, 2019 ---
    Yeah, we don't know enough about this exploit to really know how dangerous it is.
     
  3. Hanson Eigilson macrumors regular

    Joined:
    Sep 19, 2016
    #203
    Even with tools that still requires a lot of human intervention, time to gather data and is not very practical on a large scale, the keychain is designed to be machine readable and is structured to be queried effectively by machines, the difference in scale and cost to deploy large scale hacks is immense.
     
  4. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #204
    I didn't say they were the only ones. I am typing this on a Note 9, I know other phones can cost as much. Also, you're right, it's not the same thing. This person should be defended more, because he's a fellow human as opposed to a faceless corporation that hoards over 200b in cash.
     
  5. geniusj macrumors regular

    Joined:
    Feb 27, 2004
    Location:
    Sunnyvale, CA
    #205
    I believe that it's a vector for malware to use. An app is not supposed to be able to extract all of your passwords from your Keychain, and, for example, ship it off to a server somewhere. With this vulnerability, though, I'm guessing they could.
     
  6. Baymowe335 Suspended

    Joined:
    Oct 6, 2017
    #206
    That corporation is owned by the shareholders.
     
  7. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #207

    And?
     
  8. Baymowe335 Suspended

    Joined:
    Oct 6, 2017
    #208
    They are fellow humans too...
     
  9. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #209
    Okay, good for them. But don't pretend the people here are defending those poor shareholders. They're defending Apple, a corporation with hundreds of billions of dollars.
     
  10. Baymowe335 Suspended

    Joined:
    Oct 6, 2017
    #210
    Again, you’re not getting it. “Apple” doesn’t have any cash. All that cash is owned by shareholders, who are people.
     
  11. cfurlin macrumors regular

    cfurlin

    Joined:
    Jun 14, 2011
    #211
    Oh right, I forgot. The other battle cry of the Apple Paleolithic holdouts.
     
  12. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #212
    Apple decides where the money goes, don't be pedantic.
     
  13. BasicGreatGuy Contributor

    BasicGreatGuy

    Joined:
    Sep 21, 2012
    Location:
    In the middle of several books.
    #213
    I am not concerned about this hack, as I practice safe computing. Those that readily install hacked programs and blindly give system access to such programs could be at a greater risk.
     
  14. Baymowe335 Suspended

    Joined:
    Oct 6, 2017
    #214
    And investors decide if they want to buy or sell their stock and if they want to re-elect the board.

    Point is, shareholders are people too. There are consequences for companies doing stupid things. Just ask IBM.

    A lot of the cash position is being used to buyback shares at the moment, which investors like. That's why we keep holding and buy more.
     
  15. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #215
    So you're arguing that Apple is hoarding hundreds of billions because they need it for buybacks. That's a fair argument, but they're not buying back anywhere near that and the fact that it's spread over time tells me you're wrong.
     
  16. Baymowe335 Suspended

    Joined:
    Oct 6, 2017
    #216
    They are buying back $100B in AAPL at the moment and will update the shareholders again in May with likely even more. They also have $100B in long term debt they correctly took on because it saved investors money while the tax law was ridiculous and their money was stuck overseas. They actually only have $130B in net cash.

    Apple's biggest issue is they literally have too much cash. And no, you can't just go on a buying spree of random companies like NFLX because you have cash lying around. Look at Berkshire Hathaway. They have the same problem with excess cash. It's hard to find deals big enough to move the needle and/or with an attractive enough value to make sense.

    So I don't agree at all with the term "hoarding cash." They are simply making a lot of money, but returning a lot to shareholders too.
     
  17. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #217
    So if they're making too much cash, maybe they can stop bending people over a barrel for stuff life more than 5GB of cloud storage or continuing to raise the low end iPhone or charging the same amount for multiple year old Macs.
     
  18. Baymowe335 Suspended

    Joined:
    Oct 6, 2017
    #218
    “Too much cash” is just a term in business used for companies buying back shares. There is really no such thing as “too much.”

    Apple is owned by the shareholders, again, not to beat a dead horse. They expect a return and they want Apple charging what they can get. The guys in charge have a responsibility to increase shareholder value, period. This isn’t charity...it’s business. It’s all about money.
     
  19. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #219
    Define "too much cash". Your arguments are ridiculous and appear to be an attack on the free enterprise system. Apple is one of millions of companies who produce products and services in exchange for money. The goal is to be profitable. There is no limit on how much money a company can or should make. Every company has the right to price their goods and services as they deem appropriate. If their prices are too high for some consumers, those consumers don't have to buy their products. It's as simple as that. It is naive and irresponsible to criticize a person or company simply because they're more successful than others. No company makes perfect products and the majority of the world isn't foolish enough to expect perfection. There always seem to be a few who are foolish enough to think that Apple in particular is evil because it makes good-but-imperfect products and prices them higher than some segment of the population can or chooses to afford. I could make the same silly argument about Rolls Royce, Rolex, and many other companies that produce products for the more affluent, but it would still be a silly argument.

    Apple is profitable.
    Apple has billions in cash.
    Apple products aren't perfect.
    Apple products aren't priced for everyone.

    Get over it.
     
  20. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #220
    I wasn't the one who initially used the term too much money. Sure would be nice if you read before jumping in.
    --- Post Merged, Feb 8, 2019 ---
    And paying to get people to make the Mac more secure would make the product more valuable.
     
  21. Baymowe335 Suspended

    Joined:
    Oct 6, 2017
    #221
    Apple has proven the can execute better than any company on the planet, with earnings. Who are you to question their strategy?
     
  22. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #222
    Wow, are you for real?
     
  23. manu chao macrumors 603

    Joined:
    Jul 30, 2003
    #223
    Nobody said they were perfect.
    --- Post Merged, Feb 9, 2019 ---
    Let's say you were a shareholder of Apple and at their annual convention they would float a motion to increase that limit. Would you vote for it out the goodness of your heart even if it meant that Apple's profits (and thus the share price and/or dividends would be lower)? Assuming for a second the forgone income would not be compensated for by more satisfied customers buying more Apple products.

    And would you vote for it if you were representing a mutual fund or a pension fund? Or would you invest in a mutual fund that vows to fight excessive profits by pushing highly profitable companies to lower their prices and/or increase the value of their products at constant prices?
     
  24. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #224
    I doubt they'd have to ask the shareholders. But if I were a shareholders and it was floated, then every time I would vote Yes. I would want people to only have good things to say about the Appl ecosystem. That would lead to more cash.
     
  25. manu chao macrumors 603

    Joined:
    Jul 30, 2003
    #225
    Is all your investing based on choosing companies that care a lot about their customers, the environment or other worthy causes? Or is Apple the only company you would apply an ethics-based approach to investing? Or do you only care about such things if you are not invested in a given company, ie, do you prefer to let other investors accept lower returns for worthy causes while you stick to the companies that maximise returns?
     

Share This Page