Slashdot Mirror
Researcher Reveals a Severe, Unpatched Mac Password Flaw To Protest Apple Bug Bounty (venturebeat.com)
Linuz Henze, a credible researcher, has revealed an exploit that in a single button press can reveal the passwords in a Mac's keychain. From a report: Keychain is where macOS stores most of the passwords used on the machine, ranging from iMessage private encryption keys to certificates, secured notes, Wi-Fi, and other Apple hardware passwords, app passwords, and web passwords. A pre-installed app called Keychain Access enables users to view the entire list of stored items, unlocking each one individually by repeatedly entering the system password, but Henze's KeySteal exploit grabs everything with a single press of a "Show me your secrets" button.
While the demo is run on a 2014 MacBook Pro without Apple's latest security chips, Henze says that it works "without root or administrator privileges and without password prompts, of course." It appears to work on the Mac's login and system keychains, but not iCloud's keychain. Generally, white hat security researchers publicly reveal flaws like this only after informing the company and giving it ample time to fix the issues. But Henze is refusing to assist Apple because it doesn't offer paid bug bounties for macOS.
While the demo is run on a 2014 MacBook Pro without Apple's latest security chips, Henze says that it works "without root or administrator privileges and without password prompts, of course." It appears to work on the Mac's login and system keychains, but not iCloud's keychain. Generally, white hat security researchers publicly reveal flaws like this only after informing the company and giving it ample time to fix the issues. But Henze is refusing to assist Apple because it doesn't offer paid bug bounties for macOS.
"Even on iOS, where Apple does offer bug bounties, the process for submitting bugs to the company is overly complex and dilatory â" an issue spotlighted in the recent FaceTime spy bug debacle. Researchers have also accused Apple of hiding notices of bug fixes in sneaky ways and of taking too long to address reported issues, even when the security or privacy implications are serious."
Need I say more?
Is it ethical for Apple or its customers to expect outsiders to spend hundreds or thousands of man hours finding bugs in their software for free? Apple is certainly rich enough to either pay bounties or to hire an army of security researchers to test their products.
1) He hasn't released how to actually exploit it.
2) This is a five, maybe six, figure bug on the black market.
3) He's simply saying 'Hey, wake up, you're doing a giant disservice to all your users by pushing people to the black market.'
-- botsex is {grep;touch;strip;unzip;head;mount}