Researcher demos new macOS Keychain exploit, holds data from Apple in protest

Posted:
in macOS edited February 7
A veteran security researcher this week revealed the existence of a new macOS Keychain exploit, while controversially saying he wouldn't share details with Apple because of its bug bounty policies.

macOS Keychain


A demo app, "KeySteal," is able to extract login and System passwords from Keychain without any administrator privileges, and regardless of whether System Integrity Protection or Access Control Lists are configured, according to Linuz Henze. Items in the iCloud Keychain are immune, Henze told Heise.

There have been no reports so far of the exploit being used in the wild, but concerned Mac owners can protect themselves by adding an extra password to the login keychain.





Henze's protest stems from the fact that the company's bug bounty program only covers iOS, not macOS. Independent researchers can be dependent on such payouts.

Even within the iOS sphere Apple's program has been criticized as comparatively stingy, paying less than what third-party firms are offering. One such outfit, Zerodium, recently hiked its bounties to as high as $2 million for a remote, persistent, "zero-click" iOS jailbreak. The most Apple will pay is $200,000 even with the integrity of its platforms at stake.
«1

Comments

  • Reply 1 of 25
    davgregdavgreg Posts: 194member
    If they can pay about $3 Billion for Beats- a "me too" rental service that also sold crappy headphones and speakers, they can afford to pay better bounties for bugs and hire more people to suit their stuff.
    caladanian
  • Reply 2 of 25
    jimh2jimh2 Posts: 86member
    Beats is a money maker. Have you ever looked around and noticed they are everywhere. Call them what you want but they sell.

    So basically he is extorting Apple which is illegal.
    jason leavittlkruppjbdragonmagman1979lolliverwatto_cobra
  • Reply 3 of 25
    This is bogus:

    1) the person trying to steal your passwords has to first have access to your Mac.
    2) he then ran some app to get your passwords...I’m guessing all this app does is enter your Mac’s password for the keychain items automatically and then extracts them and displays them all in a list, so, again, back to 1).
    3) you can also lock keychain so that it has to be opened with a password, so they’d need not only your Mac’s password, but keychain’s password...this is not the default for keychain.
    macpluspluslolliverwatto_cobra
  • Reply 4 of 25
    ... what this does, (2) above), is not that impressive...again the person has to first have access (Mac password) to your Mac.

    i think this is click bait for the app. Some people might like a list of all the passwords in keychain.
    watto_cobra
  • Reply 5 of 25
    Should Apple extend the bonus program to macOS and the other OSs they make? Yes absolutely. 
    Is it unethical for this person to withhold this important security info from Apple until they get paid? Yes absolutely.
    racerhomie3StrangeDaysshaminostompymagman1979ricks1919roundaboutnowlolliverwatto_cobra
  • Reply 6 of 25
    benji888 said:
    This is bogus:

    1) the person trying to steal your passwords has to first have access to your Mac.
    2) he then ran some app to get your passwords...I’m guessing all this app does is enter your Mac’s password for the keychain items automatically and then extracts them and displays them all in a list, so, again, back to 1).
    3) you can also lock keychain so that it has to be opened with a password, so they’d need not only your Mac’s password, but keychain’s password...this is not the default for keychain.
    1&2) It can be chained with other exploits - zero-day, or known for older MacOS versions which this exploit affects. 3) try this, and see how long you can run with keychain staying locked, especially while browsing sites that require logins, apps during startup, etc...
    apple_badgermagman1979
  • Reply 7 of 25

    "1) the person trying to steal your passwords has to first have access to your Mac."

    So don't give your Mac to the hacker... Problem solved! ;-))

    edited February 6 jdgazjbdragonmagman1979watto_cobra
  • Reply 8 of 25
    jimh2 said:
    Beats is a money maker. Have you ever looked around and noticed they are everywhere. Call them what you want but they sell.

    So basically he is extorting Apple which is illegal.
    Assuming German law on extortion is similar to that in the US, I agree, but I don't even play a lawyer on TV.

    No one guarantees white hat hackers an income, unless they have an employment contract. If they uncover vulns in a compares products, they hope to be compensated by the company according to the seriousness of the vulnerabilities. If they know a company doesn't offer compensation for uncovering bulbs in a certain product, they're either doing the work pro bono or are at least thinking about extortion — or worse.
  • Reply 9 of 25
    brianm said:
    benji888 said:
    This is bogus:

    1) the person trying to steal your passwords has to first have access to your Mac.
    2) he then ran some app to get your passwords...I’m guessing all this app does is enter your Mac’s password for the keychain items automatically and then extracts them and displays them all in a list, so, again, back to 1).
    3) you can also lock keychain so that it has to be opened with a password, so they’d need not only your Mac’s password, but keychain’s password...this is not the default for keychain.
    1&2) It can be chained with other exploits - zero-day, or known for older MacOS versions which this exploit affects. 3) try this, and see how long you can run with keychain staying locked, especially while browsing sites that require logins, apps during startup, etc...
    Bingo! I always find it amazing at how dismissive people are about problems like this (on any platform). A single given bug may not be a problem for everyone, but bugs form links in exploit chains that very quickly become viable attack vectors. 

    This looks like a reasonably concerning issue. I have no idea how the interaction between the researcher and Apple went or who's being the bigger asshat. The researcher's  behaviour seems unethical. Apple's bounty program is badly lacking as well. No cookies for anyone. 
    asdasdricks1919
  • Reply 10 of 25
    lkrupplkrupp Posts: 6,608member
    What I hope happens is that Apple engineers find and fix the hack on their own and leave the “researcher” twisting in the wind with his hand out. It’s not a protest, it’s extortion and racketeering. 
    edited February 6 ericthehalfbeemagman1979watto_cobra
  • Reply 11 of 25
    tzm41tzm41 Posts: 78member
    I have no empathy in Apple neglecting macOS and not setting up a bounty program for the platform.
    caladanianasdasd
  • Reply 12 of 25
    brianm said:
    benji888 said:
    This is bogus:

    1) the person trying to steal your passwords has to first have access to your Mac.
    2) he then ran some app to get your passwords...I’m guessing all this app does is enter your Mac’s password for the keychain items automatically and then extracts them and displays them all in a list, so, again, back to 1).
    3) you can also lock keychain so that it has to be opened with a password, so they’d need not only your Mac’s password, but keychain’s password...this is not the default for keychain.
    1&2) It can be chained with other exploits - zero-day, or known for older MacOS versions which this exploit affects. 3) try this, and see how long you can run with keychain staying locked, especially while browsing sites that require logins, apps during startup, etc...

    Curious, which other exploits can it be chained with? Do you have a working list to demonstrate for us? Or are you fabricating "what-if" scenarios to make this seem worse than it is?
    benji888watto_cobra
  • Reply 13 of 25
    It’s not extortion.  I agree with the bug researcher.

    Apple isn’t the only one who refuses to pay for bugs/exploits, Sony does the same, and it weakens their products security.

    Most companies these days work with white hats to improve their products security, and it benefits both parties.  Microsoft saves a bundle doing so...

    What is curious is why Apple cares less about the security of MacOS than it does about iOS...

    Each company has the right to pay for exploits or not.  Security researches have the right to make a living.  Some reasearches will report exploits without pay, but overall companies that don’t pay should expect less assistance.

    If you look at requirements for reporting exploits, it’s a non trivial amount of work.  Many many researchers won’t bother without monetary incentives.  Many bugs get reported to companies, and frequently they never get fixed.  The companies don’t give a damn...

    It’s good to have a policy in place and published, so white hats know the situation before spending the time.

    In this case, it’s a security researcher shaming Apple for an inconsistent bug policy.  I personally find the information useful, MacOS became a little less attractive. 

    Extortion would be “I hacked into your web server, and changed the administrator password.  Pay me, if you want to know what it is.”
    shamino
  • Reply 14 of 25
    lkrupp said:
    What I hope happens is that Apple engineers find and fix the hack on their own and leave the “researcher” twisting in the wind with his hand out. It’s not a protest, it’s extortion and racketeering. 
    Apple now knows about the issue, and can certainly reverse engineer what the researcher did.  The only “hit” Apple gets is to their PR.

    The researcher isn’t “twisting in the wind” they knew about the lack of a bounty program for MacOS.  They may get paid by the new agency they first reported it to, or not. (Could just been posted on Twitter, etc.)

    From a consumers perspective, I’d want all bugs reported to Apple and give them 90 days before making it public.  But, I also want as many people (researchers) looking at the security of Apple’s products as possible. So, users don’t get blind-sided with a bunch of zero-day exploits that threaten personal security.

    Bottom like is Apple should have a bug bounty program for MacOS, it strengthens the security of their product.

    If Apple believes in doing everything internally (the dinosaur approach) they wouldn’t have one for iOS.  The inconsistency is odd...
    caladanian
  • Reply 15 of 25
    There have been no reports so far of the exploit being used in the wild, but worried Mac owners can protect themselves by adding an extra password to the login keychain.
    What is the process for doing this? It's annoying to mention something obscure in an article and not tell how to do it. I wonder if I've done this inadvertently. My Macbook wouldn't let me login on startup no matter how many times I entered the correct password. Eventually, I decided to try my previous password and it continued the startup, after which it asked again for my current password.
  • Reply 16 of 25
    volcanvolcan Posts: 1,763member
    jurassic said:

    "1) the person trying to steal your passwords has to first have access to your Mac."

    So don't give your Mac to the hacker... Problem solved! ;-))

    In most cases anyone with access to the Mac can reset the admin password using the recovery partition. Once you have the admin password you can reset the Keychain password. On the other hand File Vault recovery can be a bit problematic.
  • Reply 17 of 25
    jimh2 said:

    So basically he is extorting Apple which is illegal.
    Nope, extortion would be I know about this issue and I'm going to sell it to someone else or make it public if you don't pay me.  He isn't threatening Apple in any way, he is simply saying, "I know about this but I don't have any reason to tell you about it right now."

    extortion | ikˈstôrSH(ə)n | noun

    the practice of obtaining something, especially money, through force or threats.

    Whether this is legitimately a security concern or not, who knows at this point.
    caladanianlorin schultz
  • Reply 18 of 25
    By the way, it’s unclear what Apple’s bug bounty program is and what is covered.

    We’re assuming that iOS is included and MacOS isn’t, as its being reported.  But, there is nothing I’ve found to confirm that.  Granted I only spent a few minutes looking into it.

    All I can say, is Apple isn’t doing things like other companies...  Why not make it public? All we have is a report (from Apple) that one was created, and limited information on payouts.

    As far as I can tell... it’s invite only.  Don’t contact us, we’ll contact you (if you’re a researcher).

    Each product has a method of reporting bugs, but it seems more geared to the average Joe. (I.e. I can’t print, and I don’t think it’s just me).

    The reason this is important, is it’s related to the recent FaceTime issue.  I can see how the kid got frustrated dealing with Apple, and went public.  It looks like the kid will get paid for that one, but it might just be PR spin.

    Conclusion: Apple would benefit from transparency, their “cloak and dagger” approach is annoying. 
    edited February 6
  • Reply 19 of 25
    irelandireland Posts: 17,521member
    lkrupp said:
    What I hope happens is that Apple engineers find and fix the hack on their own and leave the “researcher” twisting in the wind with his hand out. It’s not a protest, it’s extortion and racketeering. 
    It’s not racketeering, and technically it’s not extortion either.
  • Reply 20 of 25
    Can someone please just lay out an understandable process for fixing this, step by step.  Apple should do it immediately, but if anyone can help it would be very appreciated 
Sign In or Register to comment.