Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Researcher Gives Apple Details of macOS Keychain Security Flaw Despite No Mac Bug Bounty Program

M

macsrcool1234

Suspended
Oct 7, 2010
1,551
2,130
jasonsewell said:
The guy painted himself into a corner. Optics and public sentiment aside, once you disclose that you have damaging information about a software vulnerability, and then you demand money or other concessions before disclosing the information to the software developer, you are coming very close to the legal definition of extortion.

I’m guessing an attorney pointed this out the the guy.
Click to expand...

Wrong.
 
  • Like
Reactions: HJM.NL, 69Mustang, jpn and 1 other person
kironin

kironin

macrumors 6502a
May 4, 2004
623
262
Texas
Apple has a reward program for iOS that provides money to those who discover bugs, but there is no similar payment system for macOS bugs.
Click to expand...

This is silly, they most certainly can easily afford to fund bug bounties for both. He's right, he deserves to be rewarded.
 
  • Like
Reactions: HJM.NL and jpn
Rocketman

Rocketman

macrumors 603
Dec 2, 2001
6,191
1,186
Claremont, The intellectual capitol of the world.
Plutonius said:
I think that a bug program for MacOS would effect Apple's bottom line.

A large number of 2018 MacBook Pro owners would want to get paid for their bridgeOS crashes :).
Click to expand...
Silly boy.

Apple pays researchers to find bugs on certain targeted OS's. It does not pay or compensate users in any way for EXPERIENCING bugs. That is the "petina of Apple". :D
 
  • Like
Reactions: jpn
chrfr

chrfr

macrumors G5
Jul 11, 2009
13,520
7,045
Megakazbek said:
It’s great that Apple values our privacy, but the lack of security makes all that effort pretty much useless. I think we’ve seen more critical security bugs from Apple than from any other major company.
Click to expand...
Not even close.
 
  • Like
Reactions: jpn
H

Ho Tai

macrumors member
Jan 1, 2018
50
54
DoctorTech said:
First, thank you Linus for sharing the info with Apple.

I can only think of 2 reasons whey Apple wouldn't have a bounty program for Mac OS security flaws (neither makes Apple look good).
1) Apple doesn't care enough about Mac OS to pay a bounty for finding security flaws or
2) Apple is afraid of what the bounty program would cost.

I really hope there is a different, actual reason they don't have a bounty program but I can't think of what it would be.
Click to expand...
Or maybe 3) Apple is afraid to create a cottage industry of people looking for bugs for profit, potentially exposing the OS as being less secure than Apple has promoted.
 
  • Like
Reactions: 4509968, HJM.NL, jpn and 1 other person
M

meson

macrumors 6502
Apr 29, 2014
481
466
The guy is 18, the least Apple could do is offer a scholarship towards his further education or a summer internship. If nothing else give him a trip to WWDC in June. All result in good PR, and Linus earns a little compensation for his work.

At the end of the day, Apple should have a bug bounty program for macOS.
 
  • Like
Reactions: 4509968, fourthtunz, HJM.NL and 1 other person
chrfr

chrfr

macrumors G5
Jul 11, 2009
13,520
7,045
Ho Tai said:
Or maybe 3) Apple is afraid to create a cottage industry of people looking for bugs for profit, potentially exposing the OS as being less secure than Apple has promoted.
Click to expand...
Apple already has a bug bounty program for iOS; if this was Apple's worry, they wouldn't offer the program for iOS. More likely, Apple figured they could save money by having the program for iOS and still get some benefit for macOS because the two operating systems share so much code.
 
Last edited:
jscooper22

jscooper22

macrumors 6502
Feb 8, 2013
255
612
Syracuse, NY
This is just part of what I think is a much bigger story, one in which we're all living at the moment. Years ago Cook was being interviewed and said Apple didn't care about collecting information on people because their business was making things: the actual physical boxes people used. Either that was a lie or he soon after changed his mind. It's become clear in the past couple years that Apple realized there's much more money in storing and controlling people's data, and charging them to access and retrieve what's theirs. That's why they don't care about MacOS (or offering bug bounties), why they don't care about Server, why they don't care about Desktops or even Laptops (not really anyway), why they don't care about much of anything except providing slightly flashier dumb terminals to "the cloud". And we the people are blindly handing over all OUR stuff.
 
  • Like
Reactions: HJM.NL and 5105973
S

Scooz

Suspended
Apr 9, 2012
339
348
Too close to QA. Bugs can’t be avoided. Steady drain of money. Denied.

- Tim, Craig and the easy going MR forum members

(ok, can’t really imagine Apple not starting a BB program for macOS now. And the bugs will pay for it!)
 
  • Like
Reactions: HJM.NL
BaltimoreMediaBlog

BaltimoreMediaBlog

Suspended
Jul 30, 2015
1,191
2,073
DC / Baltimore / Northeast
BaltimoreMediaBlog said:
Apple doesn't care because Mac OS is the Apple ][ of 2018. Eventually, Apple will just sell IOS devices. They are clearly headed in this direction. :(
Click to expand...

I said this hoping I'm wrong, but I fear if Apple moves to ARM processors, Mac OS won't just gain IOS functionality, but lose more Mac OS functionality and morph into a more IOS feel. I don't think I'm going to like this.
 
  • Like
Reactions: freedomlinux, 4509968, HJM.NL and 2 others
JosephAW

JosephAW

macrumors 603
May 14, 2012
5,964
7,916
How does he get past the login prompt to install an app called StealKey with the security setting only allowing Apple signed apps and system preferences set to always require password and then open the keychain which I have locked by default?
What? people leave their Macs unlocked?
 
  • Like
Reactions: nihil0
T

theluggage

macrumors 604
Jul 29, 2011
7,507
7,402
sofila said:
I can't really imagine a way for blaming him and his behaviour, but I'm sure this forum won't let me disappointed
Click to expand...

If you can’t see anything wrong with demanding money with threats (pay me or I’ll go public with this damaging bug) then I doubt that it’s worth arguing with you.

Apple isn’t obliged to offer a “bug bounty” any more than individuals are obliged to spend their free time hunting down, documenting and reporting them.

A bug bounty might be feasible for a locked-down system like iOS, but an “open” system like MacOS has so many user-accessible utilities, libraries and subsystems (like the whole BSD/Linux stack, the compiler tool chain) that it is bound to be riddled with minor bugs. If a high-profile company like Apple announces a bug bounty on something as huge as MacOS then it’s just going to create a new industry of “bug mining”.
 
  • Like
Reactions: thebroz
Queen6

Queen6

macrumors G4
Dec 11, 2008
10,881
10,911
Flying over the rainforest at dawn - Priceless
Megakazbek said:
It’s great that Apple values our privacy, but the lack of security makes all that effort pretty much useless. I think we’ve seen more critical security bugs from Apple than from any other major company.
Click to expand...

It's more telling of Apple using privacy as a sales and marketing tool. While W10 updates can be intrusive if the user is not aware how to control. There's little doubt Microsoft takes security seriously and is constantly working on it as are those who want to breach the OS.

Q-6
 
  • Like
Reactions: YaBe
YaBe

YaBe

Cancelled
Oct 5, 2017
867
1,533
StellarVixen said:
He probably cares about Mac OS as platform, and wants to see bugs fixed.


Thank you, Linus.


Now, Apple, listen to the people, and start bug bounty program.
Click to expand...
He probably cares about Mac OS as platform more than Apple does, and this is the real problem.
frifra said:
Poor Apple. This will hurt them one way or another.
Click to expand...
I am afraid it won't, they are pretty good at marketing, and spin this around. (just look in this very forum, there are people who make this guy look like the bad guy...)

Meh Apple is becoming less and less attractive by the day if you stop believing their marketing team.
 
Last edited:
  • Like
Reactions: Queen6
P

projectle

macrumors 6502a
Oct 11, 2005
525
57
I personally have weaponizable privilege escalation bugs that I raised in 2006 that remain open and presumably ignored (and various more over the years). Apple doesn't care about their macOS security unless it is in the media and actively affecting their bottom line. iOS will lead them to read the bug report, but if it has that Mac tag, may as well shred it rather than send it.
 
chrfr

chrfr

macrumors G5
Jul 11, 2009
13,520
7,045
JosephAW said:
How does he get past the login prompt to install an app called StealKey with the security setting only allowing Apple signed apps and system preferences set to always require password and then open the keychain which I have locked by default?
What? people leave their Macs unlocked?
Click to expand...
This is the crux of the security vulnerability.
 
  • Like
Reactions: PlayUltimate and JosephAW
69Mustang

69Mustang

macrumors 604
Jan 7, 2014
7,895
15,043
In between a rock and a hard place
theluggage said:
If you can’t see anything wrong with demanding money with threats (pay me or I’ll go public with this damaging bug) then I doubt that it’s worth arguing with you.
Click to expand...
That would be wrong. If he actually did that. Since he didn't. Kind of irrelevant. He said he wouldn't disclose to Apple, not go public. So the truth may be worth your argument.;)

theluggage said:
Apple isn’t obliged to offer a “bug bounty” any more than individuals are obliged to spend their free time hunting down, documenting and reporting them.
Click to expand...
They aren't obligated. They shouldn't have to be. A bounty program for MacOS should be a no brainer.

theluggage said:
A bug bounty might be feasible for a locked-down system like iOS, but an “open” system like MacOS has so many user-accessible utilities, libraries and subsystems (like the whole BSD/Linux stack, the compiler tool chain) that it is bound to be riddled with minor bugs. If a high-profile company like Apple announces a bug bounty on something as huge as MacOS then it’s just going to create a new industry of “bug mining”.
Click to expand...
This makes no sense at all. Every major OS has a bounty program... including Linux. Bounty programs pay for severity not quantity. Every bug doesn't qualify for bounties. There's no worry of a bug mining industry. If there was, it would be on iOS. Apple's most prevalent OS. Heck even Windows, the most prevalent and arguably most bug ridden OS, doesn't have a bug mining industry.
 
Last edited:
  • Like
Reactions: freedomlinux and 4509968
MacBH928

MacBH928

macrumors G3
May 17, 2008
8,327
3,719
And this is why I recommend 1Password when people say just use Keychain.

I also never wanted to say this, but given how Apple does not care about the MacOS and Windows is horrendous, I hope some new entrepreneur comes up with a new system...Just like Jobs came up with System 1 and competed with IBM.
 
  • Like
Reactions: sigsegv and bitslap47
M

mike090910

macrumors member
Apr 22, 2018
82
147
Seems like he used a third party product and that has the bug. Anyway, he really did not tell us anything.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom