Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Researcher Gives Apple Details of macOS Keychain Security Flaw Despite No Mac Bug Bounty Program

Sad to see Tim's Apple penny pinching like this

He talks a big game about iPhone security but the message is clear; expect Apple to put literally $0 into MacOS security
 
I agree. The kid should get paid. Not only for the discovery but also for the fact that he is just 18 and he is already showing some talent. His time (and mainly the result) should be rewarded even if its just few thousands. I feel $5k-$10k would be appropriate. Apple had all this time to fix it and their software developers probably earn more so this is nothing.
 
hagjohn said:
A Google's Project Zero researcher also found a copy-on-write (COW) flaw in the MacOS kernel, that they just released publicly, because it us over 90 days since they notified Apple.
Click to expand...

I think this is the best idea. Give Apple a heads up and then it's their problem if the most profitable company in the world can't fix a few lines of code in 1/4 of a year.
[doublepost=1551711241][/doublepost]
jasonsewell said:
The guy painted himself into a corner. Optics and public sentiment aside, once you disclose that you have damaging information about a software vulnerability, and then you demand money or other concessions before disclosing the information to the software developer, you are coming very close to the legal definition of extortion.

I’m guessing an attorney pointed this out the the guy.
Click to expand...

No he didn't. His naive mistake was thinking Apple cared about its customers. He fell for all of Tim's PR talk.
 
mike090910 said:
Seems like he used a third party product and that has the bug. Anyway, he really did not tell us anything.
Click to expand...
That is what's known as responsible disclosure.
He wrote a program to take advantage of the exploit, and then shared that information with Apple, which is the responsible way to get a bug fixed. I would expect full details to be released once Apple patches it.
 
that's worrisome. too bad apple is too cheap to give this person some "small to them, significant to others" amount like 10k for finding that exploit. a small price for what I think is a huge issue.
 
Based on the video, the user needs to be logged into the system in order to access the passwords that require the user login to access. Doesn't really sound like a HUGE security bug. Now, if he could get access to KeyChain logged in as a Guest or through an iCloud exploit that would be a monstrous issue.
 
  • Like
Reactions: thebroz
I still think he was supposed to release the info immediately. No one forced him to hunt for bugs.
 
The least they could do is give the kid a free iMac or something.
[doublepost=1551715985][/doublepost]
PlayUltimate said:
Based on the video, the user needs to be logged into the system in order to access the passwords that require the user login to access. Doesn't really sound like a HUGE security bug. Now, if he could get access to KeyChain logged in as a Guest or through an iCloud exploit that would be a monstrous issue.
Click to expand...

Well, except that if you can get the user to run a trojan you'd *still* expect it to prompt for the keychain password before being able to pull secrets out of it. That's how it's *supposed* to work.
 
That’s very kind of this researcher and an very ‘unApple’ thing to do, by giving this freely. Hope Apple will be able to correct this before 2022.
 
  • Like
Reactions: Arturlinden
MacBH928 said:
And this is why I recommend 1Password when people say just use Keychain.
Click to expand...
Me too.
iCloud Keychain is convenient if you're 100% Apple, but I'm steadily giving up Apple products where there are better solutions around.
1Password is cross platform, and their team has way better focus on their product than Apple does on Keychain. I've raised a couple of potential bugs with 1Password and they responded pretty much instantly and carried on the conversation until the matter was closed. Probably the best technical response I've had from any company.
 
BaltimoreMediaBlog said:
I said this hoping I'm wrong, but I fear if Apple moves to ARM processors, Mac OS won't just gain IOS functionality, but lose more Mac OS functionality and morph into a more IOS feel. I don't think I'm going to like this.
Click to expand...
If this will happen, be prepared for another couple of years been throwing back in time. I’ve experienced two transitions already and it will take years to give the OS the same functionality as from the platform it came from.
 
Apple is so stingy … they should pay for someone's time/talent to uncover a serious bug that Apple should have caught in the first place.
 
sigsegv said:
Me too.
iCloud Keychain is convenient if you're 100% Apple, but I'm steadily giving up Apple products where there are better solutions around.
1Password is cross platform, and their team has way better focus on their product than Apple does on Keychain. I've raised a couple of potential bugs with 1Password and they responded pretty much instantly and carried on the conversation until the matter was closed. Probably the best technical response I've had from any company.
Click to expand...
I’m having adobe acrobat crashing for two years now when I’m sending a pdf from acrobat to outlook for Mac. Every time it crashes, I’ve send the report to Apple and to adobe with my email address in it. In those two years I’ve never received any conformation from neither Adobe or Apple. Nor did I receive a question from them.

It’s like talking to Siri. And this ain’t the way to treat a customer.

Sounds like the guys from 1Password are very involved with their offerings. This is the way it should be. Cudo’s to them :)
 
Mydel said:
Just pay the kid...Good PR and little expense
Click to expand...

They are not obligated to.

It sounds like extortion to me.

It would be nice, but really? It just sounds like he did it for money, otherwise he would not care for any bounty. Seems like he changed his idea. I mean, he has a Mac that runs Mojave. Not a poor kid.
 
Last edited:
sofila said:
I can't really imagine a way for blaming him and his behaviour, but I'm sure this forum won't let me disappointed
Click to expand...
Not blaming him and his behavior. But, "Teen does right thing even though not rewarded financially for doing so", is not a very high bar to get over. I'm glad he did the right thing. I'm glad that this brought some media attention to Apple not having a bug bounty program for macOS. I hope Apple rectifies that (both the bug and the lack of a bug bounty program), and I sincerely hope they put more effort into making the Macs (and macOS) that their customers actually want.
 
jasonsewell said:
The guy painted himself into a corner. Optics and public sentiment aside, once you disclose that you have damaging information about a software vulnerability, and then you demand money or other concessions before disclosing the information to the software developer, you are coming very close to the legal definition of extortion.

I’m guessing an attorney pointed this out the the guy.
Click to expand...

Totally agree. When I read "teenager" I thought the words, 'entitlement'. It'd be nicer if people just did the right thing because they'd like to be treated the same and not looking for gratitude or payment.
 
Relentless Power said:
Kind of baffles me Apple does not have a ‘bug bounty program’, you would think as particular and stringent as Apple tends to be with their software, that would only be behoove them to implement something where hunters can locate/report to eradicate issues.
Click to expand...

It's cheaper to hire a bunch of propagandists at near minimum wage than security researchers at upwards of $200K/year each.
 
Tim is taking home millions but doesn't seem to care about customers enough to swing this guy some cash for finding a bug. Pathetic.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back