Researcher Gives Apple Details of macOS Keychain Security Flaw Despite No Mac Bug Bounty Program

[Rocketman]

Apple should verify the bug fix and despite no bounty program, just pay him something substantial for finding it. Apple should look through server logs to see if it has been exploited before by others without disclosing it as is common for three letter agencies.

 

[macsrcool1234]

The guy painted himself into a corner. Optics and public sentiment aside, once you disclose that you have damaging information about a software vulnerability, and then you demand money or other concessions before disclosing the information to the software developer, you are coming very close to the legal definition of extortion.

I’m guessing an attorney pointed this out the the guy.

Wrong.

 

[kironin]

Apple has a reward program for iOS that provides money to those who discover bugs, but there is no similar payment system for macOS bugs.

This is silly, they most certainly can easily afford to fund bug bounties for both. He's right, he deserves to be rewarded.

 

[Rocketman]

I think that a bug program for MacOS would effect Apple's bottom line.

A large number of 2018 MacBook Pro owners would want to get paid for their bridgeOS crashes .

Silly boy.

Apple pays researchers to find bugs on certain targeted OS's. It does not pay or compensate users in any way for EXPERIENCING bugs. That is the "petina of Apple".

 

[Tomboman]

I am always impressed by something like that - This guy is 18 and he found that bug, which no one at Apple found... Really awesome guy

 

[chrfr]

It’s great that Apple values our privacy, but the lack of security makes all that effort pretty much useless. I think we’ve seen more critical security bugs from Apple than from any other major company.

Not even close.

 

[Ho Tai]

First, thank you Linus for sharing the info with Apple.

I can only think of 2 reasons whey Apple wouldn't have a bounty program for Mac OS security flaws (neither makes Apple look good).
1) Apple doesn't care enough about Mac OS to pay a bounty for finding security flaws or
2) Apple is afraid of what the bounty program would cost.

I really hope there is a different, actual reason they don't have a bounty program but I can't think of what it would be.

Or maybe 3) Apple is afraid to create a cottage industry of people looking for bugs for profit, potentially exposing the OS as being less secure than Apple has promoted.

 

[DoctorTech]

Or maybe 3) Apple is afraid to create a cottage industry of people looking for bugs for profit, potentially exposing the OS as being less secure than Apple has promoted.

I had not thought of that but I agree that is a 3rd potential reason and of the 3, it sounds the most plausible.

 

[meson]

The guy is 18, the least Apple could do is offer a scholarship towards his further education or a summer internship. If nothing else give him a trip to WWDC in June. All result in good PR, and Linus earns a little compensation for his work.

At the end of the day, Apple should have a bug bounty program for macOS.

 

[chrfr]

Or maybe 3) Apple is afraid to create a cottage industry of people looking for bugs for profit, potentially exposing the OS as being less secure than Apple has promoted.

Apple already has a bug bounty program for iOS; if this was Apple's worry, they wouldn't offer the program for iOS. More likely, Apple figured they could save money by having the program for iOS and still get some benefit for macOS because the two operating systems share so much code.

 

[jscooper22]

This is just part of what I think is a much bigger story, one in which we're all living at the moment. Years ago Cook was being interviewed and said Apple didn't care about collecting information on people because their business was making things: the actual physical boxes people used. Either that was a lie or he soon after changed his mind. It's become clear in the past couple years that Apple realized there's much more money in storing and controlling people's data, and charging them to access and retrieve what's theirs. That's why they don't care about MacOS (or offering bug bounties), why they don't care about Server, why they don't care about Desktops or even Laptops (not really anyway), why they don't care about much of anything except providing slightly flashier dumb terminals to "the cloud". And we the people are blindly handing over all OUR stuff.

 

[Scooz]

Too close to QA. Bugs can’t be avoided. Steady drain of money. Denied.

- Tim, Craig and the easy going MR forum members

(ok, can’t really imagine Apple not starting a BB program for macOS now. And the bugs will pay for it!)

 

[BaltimoreMediaBlog]

Apple doesn't care because Mac OS is the Apple ][ of 2018. Eventually, Apple will just sell IOS devices. They are clearly headed in this direction.

I said this hoping I'm wrong, but I fear if Apple moves to ARM processors, Mac OS won't just gain IOS functionality, but lose more Mac OS functionality and morph into a more IOS feel. I don't think I'm going to like this.

 

[JosephAW]

How does he get past the login prompt to install an app called StealKey with the security setting only allowing Apple signed apps and system preferences set to always require password and then open the keychain which I have locked by default?
What? people leave their Macs unlocked?

 

[theluggage]

I can't really imagine a way for blaming him and his behaviour, but I'm sure this forum won't let me disappointed

If you can’t see anything wrong with demanding money with threats (pay me or I’ll go public with this damaging bug) then I doubt that it’s worth arguing with you.

Apple isn’t obliged to offer a “bug bounty” any more than individuals are obliged to spend their free time hunting down, documenting and reporting them.

A bug bounty might be feasible for a locked-down system like iOS, but an “open” system like MacOS has so many user-accessible utilities, libraries and subsystems (like the whole BSD/Linux stack, the compiler tool chain) that it is bound to be riddled with minor bugs. If a high-profile company like Apple announces a bug bounty on something as huge as MacOS then it’s just going to create a new industry of “bug mining”.

 

[Queen6]

It’s great that Apple values our privacy, but the lack of security makes all that effort pretty much useless. I think we’ve seen more critical security bugs from Apple than from any other major company.

It's more telling of Apple using privacy as a sales and marketing tool. While W10 updates can be intrusive if the user is not aware how to control. There's little doubt Microsoft takes security seriously and is constantly working on it as are those who want to breach the OS.

Q-6

 

[YaBe]

He probably cares about Mac OS as platform, and wants to see bugs fixed.


Thank you, Linus.


Now, Apple, listen to the people, and start bug bounty program.

He probably cares about Mac OS as platform more than Apple does, and this is the real problem.

Poor Apple. This will hurt them one way or another.

I am afraid it won't, they are pretty good at marketing, and spin this around. (just look in this very forum, there are people who make this guy look like the bad guy...)

Meh Apple is becoming less and less attractive by the day if you stop believing their marketing team.

 

[projectle]

I personally have weaponizable privilege escalation bugs that I raised in 2006 that remain open and presumably ignored (and various more over the years). Apple doesn't care about their macOS security unless it is in the media and actively affecting their bottom line. iOS will lead them to read the bug report, but if it has that Mac tag, may as well shred it rather than send it.

 

[chrfr]

How does he get past the login prompt to install an app called StealKey with the security setting only allowing Apple signed apps and system preferences set to always require password and then open the keychain which I have locked by default?
What? people leave their Macs unlocked?

This is the crux of the security vulnerability.

 

[69Mustang]

If you can’t see anything wrong with demanding money with threats (pay me or I’ll go public with this damaging bug) then I doubt that it’s worth arguing with you.

That would be wrong. If he actually did that. Since he didn't. Kind of irrelevant. He said he wouldn't disclose to Apple, not go public. So the truth may be worth your argument.

Apple isn’t obliged to offer a “bug bounty” any more than individuals are obliged to spend their free time hunting down, documenting and reporting them.

They aren't obligated. They shouldn't have to be. A bounty program for MacOS should be a no brainer.

A bug bounty might be feasible for a locked-down system like iOS, but an “open” system like MacOS has so many user-accessible utilities, libraries and subsystems (like the whole BSD/Linux stack, the compiler tool chain) that it is bound to be riddled with minor bugs. If a high-profile company like Apple announces a bug bounty on something as huge as MacOS then it’s just going to create a new industry of “bug mining”.

This makes no sense at all. Every major OS has a bounty program... including Linux. Bounty programs pay for severity not quantity. Every bug doesn't qualify for bounties. There's no worry of a bug mining industry. If there was, it would be on iOS. Apple's most prevalent OS. Heck even Windows, the most prevalent and arguably most bug ridden OS, doesn't have a bug mining industry.

 

[alexhardaker]

The guy did the right thing in the end. Good lad.

 

[ksec]

And here is another one from Google Project Zero

https://bugs.chromium.org/p/project-zero/issues/detail?id=1726&q=

90 Days Notice, and not fixed yet.

Edit: Here is an easier to read Reporting of the bug.

https://www.neowin.net/news/google-reveals-high-severity-flaw-in-macos-kernel/

 

[MacBH928]

And this is why I recommend 1Password when people say just use Keychain.

I also never wanted to say this, but given how Apple does not care about the MacOS and Windows is horrendous, I hope some new entrepreneur comes up with a new system...Just like Jobs came up with System 1 and competed with IBM.

 

[mike090910]

Seems like he used a third party product and that has the bug. Anyway, he really did not tell us anything.

 

[Jamers99]

At least send the kid a new iMac Pro as a thank you.