Slashdot Mirror
Researcher Reveals a Severe, Unpatched Mac Password Flaw To Protest Apple Bug Bounty (venturebeat.com)
Linuz Henze, a credible researcher, has revealed an exploit that in a single button press can reveal the passwords in a Mac's keychain. From a report: Keychain is where macOS stores most of the passwords used on the machine, ranging from iMessage private encryption keys to certificates, secured notes, Wi-Fi, and other Apple hardware passwords, app passwords, and web passwords. A pre-installed app called Keychain Access enables users to view the entire list of stored items, unlocking each one individually by repeatedly entering the system password, but Henze's KeySteal exploit grabs everything with a single press of a "Show me your secrets" button.
While the demo is run on a 2014 MacBook Pro without Apple's latest security chips, Henze says that it works "without root or administrator privileges and without password prompts, of course." It appears to work on the Mac's login and system keychains, but not iCloud's keychain. Generally, white hat security researchers publicly reveal flaws like this only after informing the company and giving it ample time to fix the issues. But Henze is refusing to assist Apple because it doesn't offer paid bug bounties for macOS.
While the demo is run on a 2014 MacBook Pro without Apple's latest security chips, Henze says that it works "without root or administrator privileges and without password prompts, of course." It appears to work on the Mac's login and system keychains, but not iCloud's keychain. Generally, white hat security researchers publicly reveal flaws like this only after informing the company and giving it ample time to fix the issues. But Henze is refusing to assist Apple because it doesn't offer paid bug bounties for macOS.
It just works.. If someone wants to know your password.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
It's NOT a requirement that companies offer bug bounties, just as it's not a requirement that people who find these exploits are required to report them to the company in question. 0Day exploits can fetch a lot of money on the open market and if companies don't want those exploits published to the public then they will have to compete with the open market to obtain them.
Do what thou wilt shall be the whole of the Law - Aleister Crowley
Don't call yourself a "whitehat" if you refuse to behave honorably unless paid a "bounty".
Back in my day, we just tried to follow "responsible disclosure", and reported vulnerabilities because it made the world a safer place.
This kind of stunt undermines that, by making responsible researchers (like me) more easily confused with actual blackmailers.
You do not have a moral or legal right to do absolutely anything you want.
Comment removed based on user account deletion
It's NOT a requirement that companies offer bug bounties, just as it's not a requirement that people who find these exploits are required to report them to the company in question. 0Day exploits can fetch a lot of money on the open market and if companies don't want those exploits published to the public then they will have to compete with the open market to obtain them.
^^This. No one is under any ethical or legal obligation to report their discovered bugs to Apple (as the way it should be).
Legal? You're absolutely right. But if your ethics allow you to say "I know a way to harm many, many people. There's an action I could take, requiring very little time or effort, which could mitigate that. But I choose not to do it unless I get paid." then you're pretty much a piece of shit, ethically speaking.
It's a Youtube video of some sort of program running. How do we know that the program can proceed without root (or admin user) access? For all we know, the program is given an admin password in its config files -- there's no real proof that it can proceed without credentials.
Is it ethical for Apple or its customers to expect outsiders to spend hundreds or thousands of man hours finding bugs in their software for free? Apple is certainly rich enough to either pay bounties or to hire an army of security researchers to test their products.
Then, when you tell the company about the exploit, and they ignore it for an entire year, what should you do? At some point, you have an obligation to make the exploit public so that the company is forced to deal with it, instead of letting others who discovered it in private exploit it freely. It's why Google has a responsible disclosure policy that involves telling the company privately for a certain amount of time, then a public disclosure a set number of days after.
Apple has around $240 billion cash on hand. They could allocate $10 billion to nothing but awards for bug fixes and they wouldn't even feel it. Arguably they could do that every year
Yeah, or they could hire enough people to find (and prevent!) the bugs before they reach customers. But clearly, they don't care enough to do that. And the only way to make them care is public disclosure.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
using:
security dump-keychain -d login.keychain > keychain.txt
in the terminal works rather nicely. this used to do so without authentication for the individual items.
newer versions of macOS now ask for user password before revealing passwords — but for a long time, and for older systems, this works quite nicely.
2cents from slushy toronto
john p
1) He hasn't released how to actually exploit it.
2) This is a five, maybe six, figure bug on the black market.
3) He's simply saying 'Hey, wake up, you're doing a giant disservice to all your users by pushing people to the black market.'
-- botsex is {grep;touch;strip;unzip;head;mount}
In "protest of a lack of bug bounties" this individual is:
1. Posting a YouTube video showing a purported P1, 0day security exploit.
2. Not releasing any information on how to reproduce or resolve their expoit.
3. Holding out for Apple to pay a "bug bounty" (read: ransom)
We're through the looking glass is this is what qualifies as "security research" nowadays.
Just because you want to blackmail him into giving his work for free to Apple doesn't mean that's the ethical choice. As long as he is not DIRECTLY harming others, his disclosures still fall on the ethical side. You, however, fall on the "troll" side.
White hats were reporting exploits long before you could make money with it, the money is not some inherent right. The guy is not a white hat, he's an asshat.
They're overpriced and underwhelming, way more than before. I had one of the first intel xeon Mac Pros, and at the time if you tried to build or buy something similar it would be about the same price for the components. Now you're touting the new mac mini as being fantastic?
You can build one for about half the price that's smaller and faster: https://www.youtube.com/watch?...
FWIW, the Mac Mini was always overpriced, from the first day that the Intel version shipped. Competing on cost was never Apple's strong point, though they were usually within a few percent on high-end models in their base configuration (with no extra RAM or HD upgrades). Their upgrades have almost always historically been more expensive than buying the machine in the base configuration, buying the upgrade outright, and throwing away the parts you took out.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Is it ethical for Apple or its customers to expect outsiders to spend hundreds or thousands of man hours finding bugs in their software for free? Apple is certainly rich enough to either pay bounties or to hire an army of security researchers to test their products.
apple didn't expect or require anything from him. he knew before he started that apple doesn't pay bounties for bugs and he still chose to spend his time and effort looking for a bug specifically so he could release it into the wild. he could have spent his time researching software from a company that does pay bounties for bugs.
he's a dick.
Darth --
Nil Mortifi, Sine Lucre
Apple started getting rid of the headphone since they don't get royalties from it and you can purchase other brand headphones without them making money. So now you have to buy special adapters and give more money to apple if you want to use headphones.
Apple's a dick.
Good, cheap, fast: pick any two. If you assume good = careful, then either the software will be cheap, but slow between releases; or fast but expensive. Most consumers prefer cheap. One problem with cheap but slow is that companies need to be able to pay their employees between releases.
If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.