Security researcher hands Apple details of Keychain bug, calls for explanation regarding l...

Posted:
in General Discussion
Linus Henze has informed Apple of all details regarding a bug he discovered in the macOS Keychain security software, and has done so without payment from the company. He previously withheld the information in protest of the company's lack of a Bug Bounty for Mac, but now says the problem is too important to keep to himself.




German teenager Linus Henze has sent Apple full details of a Keychain security exploit that he demonstrated in early February, and has done so despite the company ignoring his previous conditions. Henze says that he has decided to reveal the details to Apple because the bug he's found "is very critical and because the security of macOS users is important to me."

I've decided to submit my keychain exploit to @Apple, even though they did not react, as it is very critical and because the security of macOS users is important to me. I've sent them the full details including a patch. For free of course.

-- Linus Henze (@LinusHenze)
The 18-year-old had discovered a macOS bug that could allow apps to see passwords held in Mojave's Keychain security feature. He developed an app he called KeySteal to demonstrate it, but originally refused to inform Apple. Henze was protesting against the fact that Apple has no Bug Bounty program for macOS the way it does for iOS.

"I'm willing to immediately submit you the full details - including a patch," he said in an email to the company dated Feb. 5. "If an official Apple representative sends me an official (and reasonable!) statement why Apple does not have nor wants to create a Bug Bounty program for macOS."

Apple did reach out to Henze to ask about his discovery, but not to discuss his demands. On Feb. 8, he emailed again, re-stating his conditions, but seemingly got no response.

There have been no reports of the exploit being used by malicious apps but AppleInsider explained that concerned users can make sure they're safe by adding an extra password to the login keychain.






While Apple does have a Bug Bounty program for researchers who find security problems in iOS, even that has been called stingy compared to other firms.
«1

Comments

  • Reply 1 of 32
    carnegiecarnegie Posts: 726member
    People generally can't be held liable (e.g., through a civil action) for (negligent) omissions which lead to harm suffered by others. But there are exceptions to that general rule.

    I don't know all the details of this situation, and he's in Germany so applicable principles might be very different, but I wouldn't rule out the possibility that he could face civil liability if he didn't take reasonable action (e.g. revealing details of the exploit to Apple) to mitigate the risk of harm to others. Again, the general rule would protect him from such liability. But I can think of exceptions which could possibly apply in this case. So it's possible - though I don't mean to suggest likely, I just don't know enough to make such an assessment - that he's now been made aware that he could face civil liability if he doesn't disclose the details of the exploit to Apple and, as a result of Apple not being able to address the problem as quickly, third parties are harmed.
    chasmPickUrPoisonwatto_cobra
  • Reply 2 of 32
    macxpressmacxpress Posts: 4,896member
    It shows the rest of the world just how out of touch Apple is with the rest of us. "Their shit don't stink"
    So because Apple doesn't have a bug bounty program for the outside world "their shit doesn't stink"? Right! 
    mwhiteleavingthebiggchristophblollivermejsricshark5150jony0
  • Reply 3 of 32
    kimberlykimberly Posts: 229member
    carnegie said:
    People generally can't be held liable (e.g., through a civil action) for (negligent) omissions which lead to harm suffered by others. But there are exceptions to that general rule.

    I don't know all the details of this situation, and he's in Germany so applicable principles might be very different, but I wouldn't rule out the possibility that he could face civil liability if he didn't take reasonable action (e.g. revealing details of the exploit to Apple) to mitigate the risk of harm to others. Again, the general rule would protect him from such liability. But I can think of exceptions which could possibly apply in this case. So it's possible - though I don't mean to suggest likely, I just don't know enough to make such an assessment - that he's now been made aware that he could face civil liability if he doesn't disclose the details of the exploit to Apple and, as a result of Apple not being able to address the problem as quickly, third parties are harmed.
    What?
    irelandfastasleepleavingthebigg1STnTENDERBITS
  • Reply 4 of 32
    The arrogance of some people who demand explanations.
    watto_cobra
  • Reply 5 of 32
    irelandireland Posts: 17,617member
    Bad PR will continue to shape Apple’s decisions.
  • Reply 6 of 32
    lkrupplkrupp Posts: 7,158member
    ireland said:
    Bad PR will continue to shape Apple’s decisions.
    Blathering nonsense. What bad PR? With disgruntled nerds on a tech blog? You flatter yourself too much. What this kid did could easily be construed as extortion. He threatened Apple with withholding information unless they paid him. Should Apple have a macOS bug bounty? That’s up to Apple. Should researchers just keep macOS bugs to themselves unless they get paid? Again, that’s up to the researcher. But to try and publicly hold up Apple for money is seedy and base. 
    chasmentropysmejsricdewmewatto_cobra
  • Reply 7 of 32
    chasmchasm Posts: 1,593member
    I'm glad Linus decided to do the right thing. I concur with him that Apple should have a macOS bug-bounty program like the one that exists for iOS. But I disagreed that he had the right to try and blackmail one into existence -- Apple had zero reason to believe his claim without details or proof-of-concept, neither of which he provided.

    The sensible thing to do would be to band together with other security researchers and petition for such a program, not try low-level extortion as a first approach. Apple was absolutely right to respond but ignore the demands.
    baconstangmike54entropysdewmewatto_cobrajony0
  • Reply 8 of 32
    davendaven Posts: 529member
    There should be a bug bounty program for Mac OS. I would think that Apple could set one up with some sort of cap and a general pay scale with Apple setting the payoff appealable to a designated third party. Granted it will entice more hacking in the short run but you can bet that countries are already hacking away but just not releasing the bugs. A bounty system will let Apple know where the weaknesses are and Apple will close many of them.
  • Reply 9 of 32
    I don't think this was handled well. It's fair to call out apple for a lack of a bounty programme for macOS, but quasi-ransom is not the behaviour of a white hat.
    edited March 3 watto_cobrajony0
  • Reply 10 of 32
    chasm said:
    I'm glad Linus decided to do the right thing. I concur with him that Apple should have a macOS bug-bounty program like the one that exists for iOS. But I disagreed that he had the right to try and blackmail one into existence -- Apple had zero reason to believe his claim without details or proof-of-concept, neither of which he provided.

    The sensible thing to do would be to band together with other security researchers and petition for such a program, not try low-level extortion as a first approach. Apple was absolutely right to respond but ignore the demands.
    I think it’s pretty obvious that people have contacted Apple multiple (thousands) of times about a bug-bounty program and either there was no response or a determination not to have one.

    Bringing attention to Apple’s inconsistencies with a bug-bounty for iOS and a lack of one for MacOS is a good thing.  

    There was no blackmail!  There was no exploit in the wild.  No one was a risk yet.  But, it was just a matter of time before it became an issue, and the researcher decided to release more information to Apple.

    The real risk here is Apple’s half-assed approach to security for MacOS.  I own an iPhone and iPad, and I was looking forward to a MacOS based purchase (probably an A Series one).  My motivation with sticking was Apple was their superior approach to security in iOS vs Google.  But, the lack of a bug-bounty program means MacOS is inferior to Windows.  Windows has plenty of flaws (not a fan of Windows 10) but there are enough advantages, especially in hardware, that my next PC will be Windows.

    This determination is important.  I’ve found myself spending more time looking at Android devices also. My desire to go “all Apple” has fallen apart.

    I’m not in the market a phone at the moment, but Samsung’s DeX is cooler than Apple’s AR with not uses.
    https://www.samsung.com/us/business/solutions/samsung-dex/

     My perception of Apple recently is “hear no evil, see no evil” or if a security issue isn’t in the news, and therefore not a PR problem... it’s not that big a problem.  Security is a 24/7 problem! Not a fan of Apple’s approach...  If I’m not aware of a problem, I can’t mediate the risk.
    baconstangcropr
  • Reply 11 of 32
    macxpressmacxpress Posts: 4,896member
    Honestly, with the little punks attitude, he shouldn't get anything from Apple and choosing to go the social media route shouldn't help his case either. 
    mejsric
  • Reply 12 of 32
    MplsPMplsP Posts: 1,454member
    Good for Linus for telling Apple about the bug; bad for Apple for their weak response.

    lkrupp said:
    ireland said:
    Bad PR will continue to shape Apple’s decisions.
    Blathering nonsense. What bad PR? With disgruntled nerds on a tech blog? You flatter yourself too much. What this kid did could easily be construed as extortion. He threatened Apple with withholding information unless they paid him. Should Apple have a macOS bug bounty? That’s up to Apple. Should researchers just keep macOS bugs to themselves unless they get paid? Again, that’s up to the researcher. But to try and publicly hold up Apple for money is seedy and base. 
    For issues like this, tech nerds play a disproportionate role in the perception and reputation of a company. Apple prides itself on privacy and security. Bounty programs are rapidly becoming industry standard. Hackers do a lot of work for tech companies by finding these bugs. Whether Apple choses to compensate them for their work (and for the security value they provide) is obviously up to Apple, but when other companies have bounty program it makes Apple look cheap and increase the risk that people either won't continue to look for Mac security flaws or worse, will sell them to someone else who will pay.
  • Reply 13 of 32
    jbhoulejbhoule Posts: 20member
    Give Apple a break, they just don't have the budget for frills like a MacOS bounty program.
    baconstangbeowulfschmidt
  • Reply 14 of 32
    At this point, Apple just wants MacOS to die. If it is some critical security bug that does it, that's fine by Apple.
  • Reply 15 of 32
    mdriftmeyermdriftmeyer Posts: 7,282member
    If he hasn't heard back from Apple it is part of a known issue that is more of an architecture restructure and testing across several frameworks to shore up any issues. And no he won't get a dime for an already known internal issue that is currently being worked on towards the next general OS X release.
  • Reply 16 of 32
    tyler82tyler82 Posts: 868member
    At this point, Apple just wants MacOS to die. If it is some critical security bug that does it, that's fine by Apple.
    If this happens, I'm going to Linux for my desktop OS as well as smartphone. iOS is great as a complement to OS X but I loathe the day it is "the" OS.
    edited March 4 baconstangLatko
  • Reply 17 of 32
    bwikbwik Posts: 562member
    Mac OS is a dying (dead) ecosystem; I say this as a longtime user.  Microsoft has the right approach - convergence.  Apple should follow that.  Run MacOS within iOS as a bridge step, just as was done 20 years ago with OS9 Rhapsody.  Eventually support can be dropped for MacOS compatibility as iOS gains the essential functions of MacOS.  If something is not busy being born, it is busy dying.
  • Reply 18 of 32
    At this point, Apple just wants MacOS to die. If it is some critical security bug that does it, that's fine by Apple.
    That makes no sense.

    If Apple wants to kill macOS they can stop selling Macs, and just take the $25 billion revenue hit—nearly the size of a Fortune 100 company btw—and skip the part where they shoot themselves in the foot by trashing their reputation. 

    But I get it... Mr. Cook hates the Mac and wants to force you to use an iPad. *eyeroll*
    randominternetperson
  • Reply 19 of 32
    mike54mike54 Posts: 339member
    "... macOS users is important to me."
    sad to say Linus, but Tim Cook doesn't give a rats about macOS. There's plenty of examples that proves it. It's only there to develop iOS programs.

    Anyway, be proud that you've done the right thing for Apple's customers, while Tim Cook's Apple doesn't care.
  • Reply 20 of 32
    foljsfoljs Posts: 335member
    The arrogance of some people who demand explanations.
    Arrogance? He did their work for  them (and for us). Explanations was the least they could give him.

    Others companies give money rewards for such findings.


    beowulfschmidt
Sign In or Register to comment.