Researcher Gives Apple Details of macOS Keychain Security Flaw Despite No Mac Bug Bounty Program

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Mar 4, 2019.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    A German teenager who discovered a macOS Keychain security flaw last month has now shared the details with Apple, after having initially refused to hand them over because of the company's lack of a bug bounty program for the Mac.


    Eighteen-year-old Linus Henze dubbed the zero-day macOS vulnerability he found "KeySteal," which, as demoed in the video above, can be used to disclose all sensitive data stored in the Keychain app.

    Henze said he decided to reveal the details to Apple because the bug "is very critical and because the security of macOS users is important to me."


    After Henze released the video in early February, Apple's security team reached out to him, but the researcher said he wouldn't disclose the details without a cash reward, arguing that discovering the vulnerabilities takes time.

    "Even if it looks like I'm doing this just for money, this is not my motivation at all in this case," said Henze. "My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers."

    Apple has a reward program for iOS that provides money to those who discover bugs, but there is no similar payment system for macOS bugs.

    Article Link: Researcher Gives Apple Details of macOS Keychain Security Flaw Despite No Mac Bug Bounty Program
     
  2. StellarVixen macrumors 68000

    StellarVixen

    Joined:
    Mar 1, 2018
    Location:
    Earth
    #2
    He probably cares about Mac OS as platform, and wants to see bugs fixed.


    Thank you, Linus.


    Now, Apple, listen to the people, and start bug bounty program.
     
  3. sofila macrumors 6502a

    sofila

    Joined:
    Jan 19, 2006
    Location:
    Ramtop Mountains
    #3
    I can't really imagine a way for blaming him and his behaviour, but I'm sure this forum won't let me disappointed
     
  4. Imory macrumors 6502a

    Joined:
    Feb 2, 2013
    Location:
    Wonderland
    #4
    He has a point. Good on him for making it available.
     
  5. GaryMumford macrumors 6502

    GaryMumford

    Joined:
    Jul 25, 2008
    Location:
    UK
    #5
    He probably cares more about the Mac OS as platform than Apple do
     
  6. Relentless Power macrumors Penryn

    Relentless Power

    Joined:
    Jul 12, 2016
    #6
    Kind of baffles me Apple does not have a ‘bug bounty program’, you would think as particular and stringent as Apple tends to be with their software, that would only be behoove them to implement something where hunters can locate/report to eradicate issues.
     
  7. 69Mustang, Mar 4, 2019
    Last edited: Mar 4, 2019

    69Mustang macrumors 604

    69Mustang

    Joined:
    Jan 7, 2014
    Location:
    In between a rock and a hard place
    #7
    Get a bounty program for Macs. This is not a good look for Apple. There's no reason to have a program for iOS and not MacOS.
     
  8. loby macrumors 6502a

    loby

    Joined:
    Jul 1, 2010
    #8
    Maybe there is too many bugs in MacOS that Tim would lose to much money on the deal...
     
  9. Relentless Power, Mar 4, 2019
    Last edited: Mar 4, 2019

    Relentless Power macrumors Penryn

    Relentless Power

    Joined:
    Jul 12, 2016
    #9
    I know you’re being facetious, but that’s just it, Apple has plenty of money and likely resources where they could implement a program that would help eradicate issues, but for whatever reason, they don’t want extend a hand. There’s no logical reason why they won’t implement a bounty hunting program.
     
  10. Megakazbek macrumors regular

    Joined:
    Mar 12, 2011
    #10
    It’s great that Apple values our privacy, but the lack of security makes all that effort pretty much useless. I think we’ve seen more critical security bugs from Apple than from any other major company.
     
  11. blitzwing macrumors member

    Joined:
    Sep 30, 2012
  12. canadianreader macrumors 6502a

    canadianreader

    Joined:
    Sep 24, 2014
    #12
    Get rid of Apple keychain it relies on your mac password and replace it with keepass or any other secure password manager.
     
  13. iapplelove macrumors 601

    iapplelove

    Joined:
    Nov 22, 2011
    Location:
    East Coast USA
    #13
    How could they not have a bug bounty program for Mac OS?
     
  14. bobob macrumors 68030

    bobob

    Joined:
    Jan 11, 2008
    #14
    No problem, just switch over to another operating system with a higher level of security.
     
  15. chrono1081 macrumors 604

    chrono1081

    Joined:
    Jan 26, 2008
    Location:
    Isla Nublar
    #15
    I'm sorry but this is just BS. I used to support Windows environments for a living, what you see on Mac is literally nothing compared to what you see on Windows.
     
  16. frifra macrumors 6502a

    frifra

    Joined:
    Nov 29, 2008
    #16
    Poor Apple. This will hurt them one way or another.
     
  17. Mydel macrumors 6502a

    Mydel

    Joined:
    Apr 8, 2006
    Location:
    Sometimes here mostly there
  18. jasonsewell macrumors newbie

    Joined:
    Apr 27, 2010
    Location:
    23226
    #18
    The guy painted himself into a corner. Optics and public sentiment aside, once you disclose that you have damaging information about a software vulnerability, and then you demand money or other concessions before disclosing the information to the software developer, you are coming very close to the legal definition of extortion.

    I’m guessing an attorney pointed this out the the guy.
     
  19. swingerofbirch macrumors 68040

    Joined:
    Oct 24, 2003
    Location:
    The Amalgamated States of Central North America
    #19
    This makes Apple look terrible.

    He even reached out to them and said he would share the findings without remuneration if they would just explain why they don't have a Mac bug bounty program, and they stonewalled him—spiting their customers.

    I used to report bugs to Apple through the free developer program (which I had to sign up for in spite of not being a developer) but I gave up because they never responded and never fixed anything.

    I think Apple's tendency is to make a product and go onto the next big thing and not leave enough people working on their current products. Tim Cook says they have huge things in the pipeline. But they have not increased their employee size relative to how huge of a company they are now. If it's true they have huge things in the pipeline, they probably divert engineers who would otherwise work on the Mac to whatever the big new thing is. Back when the iPhone was introduced, Apple even admitted to that. They delayed the release of Leopard specifically because they put Mac engineers on the iPhone project. Apple even says that they work like a startup. But startups make one product. Apple has many platforms and they get very neglected.
     
  20. hagjohn macrumors 6502

    hagjohn

    Joined:
    Aug 27, 2006
    Location:
    Pennsylvania
    #20
    A Google's Project Zero researcher also found a copy-on-write (COW) flaw in the MacOS kernel, that they just released publicly, because it us over 90 days since they notified Apple.
     
  21. Plutonius macrumors 604

    Plutonius

    Joined:
    Feb 22, 2003
    Location:
    New Hampshire, USA
    #21
    I think that a bug program for MacOS would effect Apple's bottom line.

    A large number of 2018 MacBook Pro owners would want to get paid for their bridgeOS crashes :).
     
  22. BaltimoreMediaBlog macrumors 6502a

    BaltimoreMediaBlog

    Joined:
    Jul 30, 2015
    Location:
    DC / Baltimore / Northeast
    #22
    Apple doesn't care because Mac OS is the Apple ][ of 2018. Eventually, Apple will just sell IOS devices. They are clearly headed in this direction. :(
     
  23. lambertjohn macrumors 6502a

    Joined:
    Jun 17, 2012
    #23
    How does Apple, with all their billions in the bank, not have quality guys on their payroll who can root these bugs out and squash them without having to depend on unpaid outsiders to help point them out to them?? Does Apple buy their engineers from Walmart?
     
  24. 69Mustang macrumors 604

    69Mustang

    Joined:
    Jan 7, 2014
    Location:
    In between a rock and a hard place
    #24
    No he's not. He would be close to extorting if he said he found a vulnerability and he threatened to release it into the wild if he didn't get paid by Apple. That's not what he did. He threatened to withhold disclosure. Withholding disclosure is not illegal at all.
     
  25. DoctorTech macrumors 6502

    DoctorTech

    Joined:
    Jan 6, 2014
    Location:
    Indianapolis, IN
    #25
    First, thank you Linus for sharing the info with Apple.

    I can only think of 2 reasons whey Apple wouldn't have a bounty program for Mac OS security flaws (neither makes Apple look good).
    1) Apple doesn't care enough about Mac OS to pay a bounty for finding security flaws or
    2) Apple is afraid of what the bounty program would cost.

    I really hope there is a different, actual reason they don't have a bounty program but I can't think of what it would be.
     

Share This Page

82 March 4, 2019