Security Researcher Refuses to Share Bug with Apple

John Lister's picture

A security researcher says he's found a major security flaw in the Mac's password storage tool. But he's refusing to publish the details as a protest against Apple's "bug bounty" program.

Linuz Henze has produced a video showing what he calls an exploit of the Keychain feature in MacOS Mojave, the current edition of the operating system for Mac computers.

Keychain is an application on Macs that lets users save passwords for online accounts and digital certificates so that they don't have to type them in again. Users can also open Keychain and access a full list of passwords.

Normally every item in this list will be hidden. The user can only view them by individually typing in their Mac system password over and over, once for each item they want to view.

Entire Password Vault Revealed

Henze says he's developed a piece of software called "KeySteal" to circumvent Keychain. Once installed, a single click on a button marked "Show me your secrets" will unlock the entire list of passwords in one go, without having to type in the system password. (Source: venturebeat.com)

According to Henze, the exploit overcomes three Apple security measures:

  • It doesn't require administrator privileges.
  • It works even if the user has switched on a feature named "Access Control Lists" that's meant to block access to tools such as Keychain.
  • It works even if the computer is running System Integrity Protection, a feature that's meant to limit unapproved modification of important files.

The attack would require either physical or remote access to the computer to install and run the rogue software.

No Bounty For Mac Bugs

Oftentimes, security researchers will keep quiet about their discoveries until they have contacted the manufacturer or developer in order to give them a reasonable time to fix the issue.

That's not always the case, however. In November 2016, Google revealed a major security flaw in Windows that would allow remote code execution. Google alerted Microsoft to the bug, but waited only one week for Microsoft to fix the issue. When the time was up, Google went public about the bug in hopes of escalating the issue. This proved to be a very controversial move.

In this case, Henze says he's not told Apple about the Keychain bug because he disapproves of the way the company will pay "bounties" for bugs discovered in iOS (Apple's mobile platform), but not for MacOS.

For now, Henze says he's keeping the full details of the bug secret so that hackers don't have enough information to develop their own version of Keysteal. Several sources have noted he's previously shared details of iOS bugs that did check out. (Source: 9to5mac.com)

What's Your Opinion?

Was Henze right to not tell Apple about the bug? Is he making a legitimate protest or just looking for a payout? Should Apple pay rewards to people who report Mac security issues?

Rate this article: 
Average: 5 (8 votes)

Comments

Jim's picture

Of course Apple should pay bounties for MacOS bugs. How are they any different than iOS bugs? You produced a product with a security flaw, and someone found it and gave you the opportunity to fix it before black hats could exploit it. You should be grateful....and pay.

Jim-in-kansas's picture

Apple certainly should pay this researcher for this discovery; and gladly if it is a major flaw. It helps their product and if they don't then this person may feel that whoever is willing to pay should get the information.

Apple, being the arrogant bunch they always have been, deserve to be negatively impacted if they don't reward the hard work of a this researcher.

James Douglass
05K USASA 70-73

jcgrande's picture

He’s done the work that Apple’s Security Department should have done, Apple get off your high horse and PAY THE MAN!

kb72's picture

Of course Apple should pay. It's not like they're struggling financially!

It takes time, experience, knowledge and skill to work on these things. Everyone has bills to pay.