Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Reveals a Severe, Unpatched Mac Password Flaw To Protest Apple Bug Bounty (venturebeat.com)

Posted by msmash on from the security-woes dept.

Linuz Henze, a credible researcher, has revealed an exploit that in a single button press can reveal the passwords in a Mac's keychain. From a report: Keychain is where macOS stores most of the passwords used on the machine, ranging from iMessage private encryption keys to certificates, secured notes, Wi-Fi, and other Apple hardware passwords, app passwords, and web passwords. A pre-installed app called Keychain Access enables users to view the entire list of stored items, unlocking each one individually by repeatedly entering the system password, but Henze's KeySteal exploit grabs everything with a single press of a "Show me your secrets" button.

While the demo is run on a 2014 MacBook Pro without Apple's latest security chips, Henze says that it works "without root or administrator privileges and without password prompts, of course." It appears to work on the Mac's login and system keychains, but not iCloud's keychain. Generally, white hat security researchers publicly reveal flaws like this only after informing the company and giving it ample time to fix the issues. But Henze is refusing to assist Apple because it doesn't offer paid bug bounties for macOS.

6 of 155 comments (clear)

  1. What a callous prick. by nuckfuts · · Score: 4, Insightful

    Don't call yourself a "whitehat" if you refuse to behave honorably unless paid a "bounty".

  2. Re:So, blackmail? by Sarten-X · · Score: 3, Insightful

    Back in my day, we just tried to follow "responsible disclosure", and reported vulnerabilities because it made the world a safer place.

    This kind of stunt undermines that, by making responsible researchers (like me) more easily confused with actual blackmailers.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  3. How is this not Black Hat? by fortythirteen · · Score: 4, Insightful

    In "protest of a lack of bug bounties" this individual is:

    1. Posting a YouTube video showing a purported P1, 0day security exploit.
    2. Not releasing any information on how to reproduce or resolve their expoit.
    3. Holding out for Apple to pay a "bug bounty" (read: ransom)

    We're through the looking glass is this is what qualifies as "security research" nowadays.

  4. Credible researcher? by Pinky's+Brain · · Score: 4, Insightful

    White hats were reporting exploits long before you could make money with it, the money is not some inherent right. The guy is not a white hat, he's an asshat.

  5. Re:So, blackmail? by Darth · · Score: 5, Insightful

    Is it ethical for Apple or its customers to expect outsiders to spend hundreds or thousands of man hours finding bugs in their software for free? Apple is certainly rich enough to either pay bounties or to hire an army of security researchers to test their products.

    apple didn't expect or require anything from him. he knew before he started that apple doesn't pay bounties for bugs and he still chose to spend his time and effort looking for a bug specifically so he could release it into the wild. he could have spent his time researching software from a company that does pay bounties for bugs.

    he's a dick.

    --
    Darth --
    Nil Mortifi, Sine Lucre
  6. Re:I know a lot of folks are upset at him by lazarus · · Score: 3, Insightful

    If he uses this to, say, recover $145M in cryptocurrency from a laptop, then I'm sure he will do well...

    --
    I am not interested in articles about life extension advancements.