Slashdot Mirror

← Back to Stories (view on slashdot.org)

MacBook Hacked In Contest Via Zero-Day Hole in Safari

Posted by Zonk on from the and-the-winner-is dept.

EMB Numbers writes "Shane Macaulay just won a MacBook as a prize for successfully hacking OS X at CanSecWest conference in Vancouver, BC. The hack was based on a Safari vulnerability found by Dai Zovi and written in about 9 hours. CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. 'Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said in a telephone interview from New York. TippingPoint runs the Zero Day Initiative bug bounty program.'"

8 of 156 comments (clear)

  1. switcher by BorgCopyeditor · · Score: 5, Funny

    that's it! I'm switching back to Windows!

    --
    Shop as usual. And avoid panic buying.
  2. Konqueror by Anonymous Coward · · Score: 5, Interesting

    Safari's rendering engine is based on KHTML. So is Konqueror affected by this flaw as well?

  3. Re:So, if I reaf TFA correctly: by RalphBNumbers · · Score: 5, Informative

    As I understand it:

    The rules originally required getting a user shell on a macbook connected to a wireless router without any other access, or getting a root shell under the same conditions on a second macbook without using the same bug.
    The prize was the macbook(s) you hacked.

    But they decided not enough people were interested, so 3Com added a $10,000 bounty for a winning bug.

    But no one could crack it, so they set the machine up to visit malicious web pages submitted by email.

    Then someone found a bug in Safari, and successfully crafted a webpage to exploit it to get user shell access.

    --
    "The worst tyrannies were the ones where a governance required its own logic on every embedded node." - Vernor Vinge
  4. Read a better article than the one linked. by Anonymous Coward · · Score: 5, Informative

    The MacBook was actually only hacked because they lessened the rules and actually had someone open Safari and use a malicious website. No ports were closed nor was the firewall running.

  5. no such thing as a white hat... by Animaether · · Score: 5, Interesting
    ...is there?

    I mean - I can only assume this was a 'white hat' hackers conference, given there was actual publicity given and a public bounty and such. But then things like these pop up?

    "'Shane can have the laptop, I want the money,' Dai Zovi said in a telephone interview from New York"
    "Conference attendees were underwhelmed, reasoning a Mac exploit that required no end-user interaction could be sold for upwards of $20,000."


    Makes me think.. black hat, white hat.. what's the difference these days? I thought a white hat hacker was the 'good guy' (albeit still a hacker).. the kind of person who hacks for fun / curiosity.. the kind of person who notifies the developer of the bug or, at least, just makes the bug known to the world at no charge. Not the kind of person who hacks, then scours the 'security conferences' for a bounty, and when that bounty is lower than what they could get off of actual 'bad guys', complain that the bounty is too low. To me, that just sounds like the person is a black hat, but dons a white hat on top in an attempt to fool us into thinking they're white hat.
  6. Re:Admin user or regular user? by Tickletaint · · Score: 5, Insightful

    From one Mac user to (presumably) another, please get your head out of the sand. These "stupid people" to whom you refer you might otherwise know as "The Rest of Us." It doesn't matter how technically competent you are, we are all "stupid" every now and then—or do you only ever visit the same two or three well-known sites every day? Even if you do, how can you be sure they haven't been compromised by, say, some sort of injection attack? Or even by an unscrupulous advertiser in an iframe?

    And why on earth does it make a difference whether the user account was admin or regular? If an intruder has access to your personal documents, you're just as fucked either way.

    --
    Make Slashdot readable! See journal.
  7. there are some weird things in Safari... by lixlpixel · · Score: 5, Informative

    Safari lets you include local files, for example...

    i told apple (and got a lame reply that it would be fixed eventually) month ago, yet it still works.

    see http://destabili.zation.eu/ for a quick harmless example that can check what applications you got installed.

    and then there is a way to crash Safari which exists for more than a year - again i had an email conversation where they wanted more info and crashreports - yet nothing was ever done about it.

    http://lixlpixel.org/safaricrash/ and follow the instructions - but make sure you don't have any important tabs open...

  8. Re:Explanatin of rules relaxation by DECS · · Score: 5, Insightful

    InfoWorld Publishes False Report on Mac Security

    "Nancy Gohring, writing for InfoWorld, delivered a misleading report yesterday on a Mac security exploit contest held at the CanSecWest conference in Vancouver, BC.

    "In her defense, it appears likely that Gohring did not write the headline for her InfoWorld article, which described the contest winner as being "able to remotely break into a Mac as part of a contest designed to illustrate security flaws in OS X." That part was simply wrong.

    "Whoever did write the headline must have been smoking weed in celebration of 4/20, because Gohring's article clearly described a local exploit. There's a big difference between the remote exploits that made Windows infamous for its insecurity and a local exploit of an application."

    More info under a series of subheadings:

    Gohring's Mac Security Myths
    Microsoft's Security Embarrassment
    Mac OS X and Security
    The Mac Minority Malware Myth
    Why Macs Aren't Sending You Spam