Researcher demos new macOS Keychain exploit, holds data from Apple in protest
A veteran security researcher this week revealed the existence of a new macOS Keychain exploit, while controversially saying he wouldn't share details with Apple because of its bug bounty policies.
A demo app, "KeySteal," is able to extract login and System passwords from Keychain without any administrator privileges, and regardless of whether System Integrity Protection or Access Control Lists are configured, according to Linuz Henze. Items in the iCloud Keychain are immune, Henze told Heise.
There have been no reports so far of the exploit being used in the wild, but concerned Mac owners can protect themselves by adding an extra password to the login keychain.
Henze's protest stems from the fact that the company's bug bounty program only covers iOS, not macOS. Independent researchers can be dependent on such payouts.
Even within the iOS sphere Apple's program has been criticized as comparatively stingy, paying less than what third-party firms are offering. One such outfit, Zerodium, recently hiked its bounties to as high as $2 million for a remote, persistent, "zero-click" iOS jailbreak. The most Apple will pay is $200,000 even with the integrity of its platforms at stake.
A demo app, "KeySteal," is able to extract login and System passwords from Keychain without any administrator privileges, and regardless of whether System Integrity Protection or Access Control Lists are configured, according to Linuz Henze. Items in the iCloud Keychain are immune, Henze told Heise.
There have been no reports so far of the exploit being used in the wild, but concerned Mac owners can protect themselves by adding an extra password to the login keychain.
Henze's protest stems from the fact that the company's bug bounty program only covers iOS, not macOS. Independent researchers can be dependent on such payouts.
Even within the iOS sphere Apple's program has been criticized as comparatively stingy, paying less than what third-party firms are offering. One such outfit, Zerodium, recently hiked its bounties to as high as $2 million for a remote, persistent, "zero-click" iOS jailbreak. The most Apple will pay is $200,000 even with the integrity of its platforms at stake.
Comments
So basically he is extorting Apple which is illegal.
1) the person trying to steal your passwords has to first have access to your Mac.
2) he then ran some app to get your passwords...I’m guessing all this app does is enter your Mac’s password for the keychain items automatically and then extracts them and displays them all in a list, so, again, back to 1).
3) you can also lock keychain so that it has to be opened with a password, so they’d need not only your Mac’s password, but keychain’s password...this is not the default for keychain.
i think this is click bait for the app. Some people might like a list of all the passwords in keychain.
Is it unethical for this person to withhold this important security info from Apple until they get paid? Yes absolutely.
"1) the person trying to steal your passwords has to first have access to your Mac."
So don't give your Mac to the hacker... Problem solved! ;-))
No one guarantees white hat hackers an income, unless they have an employment contract. If they uncover vulns in a compares products, they hope to be compensated by the company according to the seriousness of the vulnerabilities. If they know a company doesn't offer compensation for uncovering bulbs in a certain product, they're either doing the work pro bono or are at least thinking about extortion — or worse.
This looks like a reasonably concerning issue. I have no idea how the interaction between the researcher and Apple went or who's being the bigger asshat. The researcher's behaviour seems unethical. Apple's bounty program is badly lacking as well. No cookies for anyone.
Curious, which other exploits can it be chained with? Do you have a working list to demonstrate for us? Or are you fabricating "what-if" scenarios to make this seem worse than it is?
Apple isn’t the only one who refuses to pay for bugs/exploits, Sony does the same, and it weakens their products security.
Most companies these days work with white hats to improve their products security, and it benefits both parties. Microsoft saves a bundle doing so...
What is curious is why Apple cares less about the security of MacOS than it does about iOS...
Each company has the right to pay for exploits or not. Security researches have the right to make a living. Some reasearches will report exploits without pay, but overall companies that don’t pay should expect less assistance.
If you look at requirements for reporting exploits, it’s a non trivial amount of work. Many many researchers won’t bother without monetary incentives. Many bugs get reported to companies, and frequently they never get fixed. The companies don’t give a damn...
It’s good to have a policy in place and published, so white hats know the situation before spending the time.
In this case, it’s a security researcher shaming Apple for an inconsistent bug policy. I personally find the information useful, MacOS became a little less attractive.
Extortion would be “I hacked into your web server, and changed the administrator password. Pay me, if you want to know what it is.”
The researcher isn’t “twisting in the wind” they knew about the lack of a bounty program for MacOS. They may get paid by the new agency they first reported it to, or not. (Could just been posted on Twitter, etc.)
From a consumers perspective, I’d want all bugs reported to Apple and give them 90 days before making it public. But, I also want as many people (researchers) looking at the security of Apple’s products as possible. So, users don’t get blind-sided with a bunch of zero-day exploits that threaten personal security.
Bottom like is Apple should have a bug bounty program for MacOS, it strengthens the security of their product.
If Apple believes in doing everything internally (the dinosaur approach) they wouldn’t have one for iOS. The inconsistency is odd...
the practice of obtaining something, especially money, through force or threats.
Whether this is legitimately a security concern or not, who knows at this point.
We’re assuming that iOS is included and MacOS isn’t, as its being reported. But, there is nothing I’ve found to confirm that. Granted I only spent a few minutes looking into it.
All I can say, is Apple isn’t doing things like other companies... Why not make it public? All we have is a report (from Apple) that one was created, and limited information on payouts.
As far as I can tell... it’s invite only. Don’t contact us, we’ll contact you (if you’re a researcher).
Each product has a method of reporting bugs, but it seems more geared to the average Joe. (I.e. I can’t print, and I don’t think it’s just me).
The reason this is important, is it’s related to the recent FaceTime issue. I can see how the kid got frustrated dealing with Apple, and went public. It looks like the kid will get paid for that one, but it might just be PR spin.
Conclusion: Apple would benefit from transparency, their “cloak and dagger” approach is annoying.