Researcher Reveals a Severe, Unpatched Mac Password Flaw To Protest Apple Bug Bounty

Linuz Henze, a credible researcher, has revealed an exploit that in a single button press can reveal the passwords in a Mac's keychain. From a report: Keychain is where macOS stores most of the passwords used on the machine, ranging from iMessage private encryption keys to certificates, secured notes, Wi-Fi, and other Apple hardware passwords, app passwords, and web passwords. A pre-installed app called Keychain Access enables users to view the entire list of stored items, unlocking each one individually by repeatedly entering the system password, but Henze's KeySteal exploit grabs everything with a single press of a "Show me your secrets" button.

While the demo is run on a 2014 MacBook Pro without Apple's latest security chips, Henze says that it works "without root or administrator privileges and without password prompts, of course." It appears to work on the Mac's login and system keychains, but not iCloud's keychain. Generally, white hat security researchers publicly reveal flaws like this only after informing the company and giving it ample time to fix the issues. But Henze is refusing to assist Apple because it doesn't offer paid bug bounties for macOS.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:So, blackmail?

It's NOT a requirement that companies offer bug bounties, just as it's not a requirement that people who find these exploits are required to report them to the company in question. 0Day exploits can fetch a lot of money on the open market and if companies don't want those exploits published to the public then they will have to compete with the open market to obtain them.

^^This. No one is under any ethical or legal obligation to report their discovered bugs to Apple (as the way it should be).

Legal? You're absolutely right. But if your ethics allow you to say "I know a way to harm many, many people. There's an action I could take, requiring very little time or effort, which could mitigate that. But I choose not to do it unless I get paid." then you're pretty much a piece of shit, ethically speaking.

dump-keychain

[johnrpenner]

using:

security dump-keychain -d login.keychain > keychain.txt

in the terminal works rather nicely. this used to do so without authentication for the individual items.

newer versions of macOS now ask for user password before revealing passwords — but for a long time, and for older systems, this works quite nicely.

2cents from slushy toronto
john p

Re:So, blackmail?

[Darth]

Is it ethical for Apple or its customers to expect outsiders to spend hundreds or thousands of man hours finding bugs in their software for free? Apple is certainly rich enough to either pay bounties or to hire an army of security researchers to test their products.

apple didn't expect or require anything from him. he knew before he started that apple doesn't pay bounties for bugs and he still chose to spend his time and effort looking for a bug specifically so he could release it into the wild. he could have spent his time researching software from a company that does pay bounties for bugs.

he's a dick.