Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Bug Desktops (Apple) Technology

Researcher Reveals a Severe, Unpatched Mac Password Flaw To Protest Apple Bug Bounty (venturebeat.com) 155

Linuz Henze, a credible researcher, has revealed an exploit that in a single button press can reveal the passwords in a Mac's keychain. From a report: Keychain is where macOS stores most of the passwords used on the machine, ranging from iMessage private encryption keys to certificates, secured notes, Wi-Fi, and other Apple hardware passwords, app passwords, and web passwords. A pre-installed app called Keychain Access enables users to view the entire list of stored items, unlocking each one individually by repeatedly entering the system password, but Henze's KeySteal exploit grabs everything with a single press of a "Show me your secrets" button.

While the demo is run on a 2014 MacBook Pro without Apple's latest security chips, Henze says that it works "without root or administrator privileges and without password prompts, of course." It appears to work on the Mac's login and system keychains, but not iCloud's keychain. Generally, white hat security researchers publicly reveal flaws like this only after informing the company and giving it ample time to fix the issues. But Henze is refusing to assist Apple because it doesn't offer paid bug bounties for macOS.

This discussion has been archived. No new comments can be posted.

Researcher Reveals a Severe, Unpatched Mac Password Flaw To Protest Apple Bug Bounty

Comments Filter:
  • by fluffernutter ( 1411889 ) on Wednesday February 06, 2019 @11:50AM (#58078956)
    It just works.. If someone wants to know your password.
    • by marklark ( 39287 )

      And, if you're already logged in to the account...

      Logout or have a locking screensaver and you're safe. This would not be a problem in my home.

      • by dgatwood ( 11270 )

        And, if you're already logged in to the account...

        Are you sure? I mean, ostensibly it doesn't work if the keychain is locked, which at least is supposed to happen when you sign out (*not* when the screen saver locks the screen), but can we be certain that this isn't a password bypass attack on the keychain locking itself? The article says nothing about the mechanism of action, nor about conditions under which it is reproducible.

        Logout or have a locking screensaver and you're safe.

        I'm pretty sure that's no

        • by marklark ( 39287 )

          And, if you're already logged in to the account...

          Are you sure?

          No, but if this is the scariest form of the video, I'm not impressed. It demonstrates that the user is logged in and the keychain is already unlocked.

          I mean, ostensibly it doesn't work if the keychain is locked, which at least is supposed to happen when you sign out (*not* when the screen saver locks the screen), but can we be certain that this isn't a password bypass attack on the keychain locking itself? The article says nothing about the mechanism of action, nor about conditions under which it is reproducible.

          I'm assuming that the screensaver is running while "KeySteal" is not yet. So, it can't steal things. If the thief can log in, then they have access to the Keychain anyway.

          Logout or have a locking screensaver and you're safe.

          I'm pretty sure that's not true. Apps continue to run in the background when the screen is locked, and AFAIK have the same access to the keychain as they do when the screen is unlocked.

          Yes, but since it's shown already running in an unlocked session. If the thief can't log in, they can't launch "KeySteal"

          So yes, ostensibly locking the screen prevents someone from running the app, but if somebody manages to couple this with a remote exploit that allows running code without console access, I don't think a locking screensaver will help.

          Those are hypotheticals that are not demonstrated in the video

          • by dgatwood ( 11270 )

            So yes, ostensibly locking the screen prevents someone from running the app, but if somebody manages to couple this with a remote exploit that allows running code without console access, I don't think a locking screensaver will help.

            Those are hypotheticals that are not demonstrated in the video. Maybe if the thief has root access they can steal even more, but that's not demonstrated.

            Those are not hypotheticals. I'm just describing a chained privilege escalation exploit, which is how most actual exploits

    • Do mac users really need passwords??

      Most of them have got to be SteveJobs1234 anyway.

  • by nuckfuts ( 690967 ) on Wednesday February 06, 2019 @11:56AM (#58078986)
    Don't call yourself a "whitehat" if you refuse to behave honorably unless paid a "bounty".
    • by Anonymous Coward on Wednesday February 06, 2019 @12:03PM (#58079016)

      "Even on iOS, where Apple does offer bug bounties, the process for submitting bugs to the company is overly complex and dilatory â" an issue spotlighted in the recent FaceTime spy bug debacle. Researchers have also accused Apple of hiding notices of bug fixes in sneaky ways and of taking too long to address reported issues, even when the security or privacy implications are serious."

      Need I say more?

    • by Anonymous Coward

      Don't tell me Apple gives a damn about users if they want charity AND on a silver platter.

    • by msauve ( 701917 )
      Don't call yourself a company concerned with privacy if you can't secure your products on your own, and won't pay others for their efforts.
    • by AmiMoJo ( 196126 )

      I wouldn't risk reporting a bug unless there was a bug bounty programme. The risk of them turning around and suing you or calling the cops is too great.

      Of course in this case we know Apple doesn't do that so it's not excuse for this guy, but as a general point companies without bug bounties are too risky for many whitehats to go near. Just this week there was a story about some guys who were physically assaulted at a trade show by the CEO of a company they reported a bug too.

  • Apple is rather clear without actually saying it. I really doesn't have interest in the Macintosh platform and OS X.
    Getting a MacBook Pro or a Powerbook back a decade ago, you really got a high end laptop, and for the Time they were attractive units. OS X based on a real Unix Kernel, gave it unprecedented security and stability, all the features that Linux had, plus a UI more advanced then Windows.

    Now OS X is showing its age, the updates on both the hardware and the OS have been lackluster. If I showed you

    • Now OS X is showing its age, the updates on both the hardware and the OS have been lackluster.

      What are you smoking?

      The iMac Pro was great. The new Mac mini was fantastic. The newer laptops are really nice, the only issue being some have issues with the keyboard (which they've mostly resolved in newer models).

      Mojave has been one of the better updates since they focused on optimization and stability improvements...

      If I showed you a 2001 Titanium Powerbook. and the latest Macbook Pro, they will look rather

      • Go buy a bright purple Dell laptop then. Mac owner are the people who care about how well something functions, not how it looks.

        Too bad you weren't there to tell that to Steve Jobs 20 years ago. You could have helped Apple avoid wasting billions of dollars on Lucite.

      • ONLY issue? Please. Soldered-in non-upgradeable RAM and storage are major issues, since Apple charges sodomizing prices for more RAM and/or SSD. A battery that's not easily replaced below the touchpad and keyboard is another issue (it tends to swell, breaking the parts above it). USB-C ports only, check. In the real world, people still need other ports and shouldn't have to carry dongles.

        No. Thinkpad owners are the ones that care about function over looks. X and T series beat the socks off of Macbook

        • by _merlin ( 160982 )

          Yeah, I used to use MacBooks Pros and before that PowerBooks, but I've switched to Dell Latitude. This notebook is unglamorous black plastic, but packs in a lot more functionality for the price, has three USB type A ports, gigabit Ethernet, HDMI, and user-replaceable RAM, SSD, battery, and even keyboard and display. No-one who cares about functionality would be using a MacBook at this point.

      • by iCEBaLM ( 34905 )

        The iMac Pro was great. The new Mac mini was fantastic.

        They're overpriced and underwhelming, way more than before. I had one of the first intel xeon Mac Pros, and at the time if you tried to build or buy something similar it would be about the same price for the components. Now you're touting the new mac mini as being fantastic?

        You can build one for about half the price that's smaller and faster: https://www.youtube.com/watch?... [youtube.com]

        Apple computers are not a compelling value.

        • by dgatwood ( 11270 )

          The iMac Pro was great. The new Mac mini was fantastic.

          They're overpriced and underwhelming, way more than before. I had one of the first intel xeon Mac Pros, and at the time if you tried to build or buy something similar it would be about the same price for the components. Now you're touting the new mac mini as being fantastic?

          You can build one for about half the price that's smaller and faster: https://www.youtube.com/watch?... [youtube.com]

          FWIW, the Mac Mini was always overpriced, from the first day that the Intel version shipped. Competing on cost was never Apple's strong point, though they were usually within a few percent on high-end models in their base configuration (with no extra RAM or HD upgrades). Their upgrades have almost always historically been more expensive than buying the machine in the base configuration, buying the upgrade outright, and throwing away the parts you took out.

        • by Jeremi ( 14640 )

          You can build one for about half the price that's smaller and faster:

          The middle third of that video is the presenter going over all the different components that don't quite work right, due to the fact that MacOS/X doesn't support that hardware.

          People who buy Macs are willing to spend extra money in exchange for having a computer that "just works". For them, buying a computer that you have to futz with is like buying a pair of jeans that doesn't fit right and has to be hand-altered -- you could do that and save some money, but it's easier to just spend the extra money to ge

  • by b0s0z0ku ( 752509 ) on Wednesday February 06, 2019 @12:24PM (#58079122)
    It's a Youtube video of some sort of program running. How do we know that the program can proceed without root (or admin user) access? For all we know, the program is given an admin password in its config files -- there's no real proof that it can proceed without credentials.
  • dump-keychain (Score:5, Interesting)

    by johnrpenner ( 40054 ) on Wednesday February 06, 2019 @12:36PM (#58079180) Homepage

    using:

    security dump-keychain -d login.keychain > keychain.txt

    in the terminal works rather nicely. this used to do so without authentication for the individual items.

    newer versions of macOS now ask for user password before revealing passwords — but for a long time, and for older systems, this works quite nicely.

    2cents from slushy toronto
    john p

  • by jjshoe ( 410772 ) on Wednesday February 06, 2019 @12:42PM (#58079224) Homepage

    1) He hasn't released how to actually exploit it.
    2) This is a five, maybe six, figure bug on the black market.
    3) He's simply saying 'Hey, wake up, you're doing a giant disservice to all your users by pushing people to the black market.'

    • Is he just going to sit on it if Apple doesn't pay? Assuming this isn't all LARPing, do you think he's safe walking around with such a valuable 0day and supposedly altruistic intentions? Do you think he's not already getting seven figure crypto offers for it?

      The way he went about this shows that the guy is already ethically compromised.
      • by jjshoe ( 410772 )

        1) Rhetorical, clearly.
        2) I think his odds of harm coming to him are less than a vehicle involved accident.
        3) No.

        • 1) It's not clear that he'll just sit on it, especially considering he hasn't told a soul what it actually is. He could sell it on the black market and nobody would know it was this exact expoit.
          2) You said yourself that it's six figure exploit. You can have someone killed in the low fives.
          3) If it's a six figure exploit why wouldn't he be receiving credible offers?
          • by Holi ( 250190 )
            In what way does killing him help reveal his exploit? That makes zero sense in this case.
            • by Jeremi ( 14640 )

              In what way does killing him help reveal his exploit? That makes zero sense in this case.

              You're right, it doesn't, but I've watched enough TV shows to imagine someone deciding to provide him with a little "wrench therapy" until he agrees to cough up the exploit to them.

              Not that I think that's really likely either -- life isn't like a TV plot. But it's conceivable.

    • by lazarus ( 2879 ) on Wednesday February 06, 2019 @01:34PM (#58079428) Journal

      If he uses this to, say, recover $145M in cryptocurrency from a laptop, then I'm sure he will do well...

  • by fortythirteen ( 5606969 ) on Wednesday February 06, 2019 @12:45PM (#58079242)
    In "protest of a lack of bug bounties" this individual is:

    1. Posting a YouTube video showing a purported P1, 0day security exploit.
    2. Not releasing any information on how to reproduce or resolve their expoit.
    3. Holding out for Apple to pay a "bug bounty" (read: ransom)

    We're through the looking glass is this is what qualifies as "security research" nowadays.
    • by Anonymous Coward

      In "protest of a lack of bug bounties" this individual is:
      1. Posting a YouTube video showing a purported P1, 0day security exploit.
      2. Not releasing any information on how to reproduce or resolve their expoit.
      3. Holding out for Apple to pay a "bug bounty" (read: ransom)
      We're through the looking glass is this is what qualifies as "security research" nowadays.

      Don't hate the player, hate the game.
      Congress decided companies can disclaim liability for most security vulnerabilities.
      Economically then, there is no incentive to fix those vulnerabilities.

      Somebody decided to play by the rules as they stand now, and you're crying foul.
      Hate the game? Then change the rules.

  • by Pinky's Brain ( 1158667 ) on Wednesday February 06, 2019 @01:11PM (#58079344)

    White hats were reporting exploits long before you could make money with it, the money is not some inherent right. The guy is not a white hat, he's an asshat.

  • I have pressed every button on a Mac at least once and none show passwords. Do I have to type in a command line and then hit one button? In which case I can also create a complete post like this one with just one button.

  • This article's summary begins with "Linuz Henze, a credible researcher....." but the linked article reports "Previously credible researcher Linuz Henze...."
    Zero to hero in quick time!
    • How, exactly, does any of this affect his credibility as a researcher? If the report checks out as reproducible, that should only make his research more credible. His job is research, not Apple customer service.
  • It just works
  • I'd like to see a law requiring disclosure of vulnerabilities with penalties for non-compliance.

    But first, I want a law that makes companies liable for bugs and vulnerabilities, i.e. one that outlaws most of the terms in shrink-wrap licenses. When companies actually pay damages, they'll start being A Lot More Careful.

    • When companies actually pay damages, they'll start being A Lot More Careful.

      Good, cheap, fast: pick any two. If you assume good = careful, then either the software will be cheap, but slow between releases; or fast but expensive. Most consumers prefer cheap. One problem with cheap but slow is that companies need to be able to pay their employees between releases.

  • This has been known for a long time. How is this person taking credit for something we have been using to help retrieve forgotten passwords or help move a user to a new MAC??
  • since when do white hats do something for money.
    there have been white hats who made security issues public before fixed were available, sure, but most of the time after working (or trying to work) for months with the company in questions and finally hitting a dead end. you use it as a last resort.

Whoever dies with the most toys wins.

Working...