Researcher Reveals a Severe, Unpatched Mac Password Flaw To Protest Apple Bug Bounty (venturebeat.com) 155
Linuz Henze, a credible researcher, has revealed an exploit that in a single button press can reveal the passwords in a Mac's keychain. From a report: Keychain is where macOS stores most of the passwords used on the machine, ranging from iMessage private encryption keys to certificates, secured notes, Wi-Fi, and other Apple hardware passwords, app passwords, and web passwords. A pre-installed app called Keychain Access enables users to view the entire list of stored items, unlocking each one individually by repeatedly entering the system password, but Henze's KeySteal exploit grabs everything with a single press of a "Show me your secrets" button.
While the demo is run on a 2014 MacBook Pro without Apple's latest security chips, Henze says that it works "without root or administrator privileges and without password prompts, of course." It appears to work on the Mac's login and system keychains, but not iCloud's keychain. Generally, white hat security researchers publicly reveal flaws like this only after informing the company and giving it ample time to fix the issues. But Henze is refusing to assist Apple because it doesn't offer paid bug bounties for macOS.
While the demo is run on a 2014 MacBook Pro without Apple's latest security chips, Henze says that it works "without root or administrator privileges and without password prompts, of course." It appears to work on the Mac's login and system keychains, but not iCloud's keychain. Generally, white hat security researchers publicly reveal flaws like this only after informing the company and giving it ample time to fix the issues. But Henze is refusing to assist Apple because it doesn't offer paid bug bounties for macOS.
It just works (Score:4, Funny)
Re: (Score:2)
And, if you're already logged in to the account...
Logout or have a locking screensaver and you're safe. This would not be a problem in my home.
Re: (Score:2)
Are you sure? I mean, ostensibly it doesn't work if the keychain is locked, which at least is supposed to happen when you sign out (*not* when the screen saver locks the screen), but can we be certain that this isn't a password bypass attack on the keychain locking itself? The article says nothing about the mechanism of action, nor about conditions under which it is reproducible.
I'm pretty sure that's no
Re: (Score:2)
Are you sure?
No, but if this is the scariest form of the video, I'm not impressed. It demonstrates that the user is logged in and the keychain is already unlocked.
I mean, ostensibly it doesn't work if the keychain is locked, which at least is supposed to happen when you sign out (*not* when the screen saver locks the screen), but can we be certain that this isn't a password bypass attack on the keychain locking itself? The article says nothing about the mechanism of action, nor about conditions under which it is reproducible.
I'm assuming that the screensaver is running while "KeySteal" is not yet. So, it can't steal things. If the thief can log in, then they have access to the Keychain anyway.
I'm pretty sure that's not true. Apps continue to run in the background when the screen is locked, and AFAIK have the same access to the keychain as they do when the screen is unlocked.
Yes, but since it's shown already running in an unlocked session. If the thief can't log in, they can't launch "KeySteal"
So yes, ostensibly locking the screen prevents someone from running the app, but if somebody manages to couple this with a remote exploit that allows running code without console access, I don't think a locking screensaver will help.
Those are hypotheticals that are not demonstrated in the video
Re: (Score:2)
Those are not hypotheticals. I'm just describing a chained privilege escalation exploit, which is how most actual exploits
It begs the question (Score:1)
Do mac users really need passwords??
Most of them have got to be SteveJobs1234 anyway.
Re:So, blackmail? (Score:5, Interesting)
Comment removed (Score:5, Interesting)
Re:So, blackmail? (Score:5, Interesting)
It's NOT a requirement that companies offer bug bounties, just as it's not a requirement that people who find these exploits are required to report them to the company in question. 0Day exploits can fetch a lot of money on the open market and if companies don't want those exploits published to the public then they will have to compete with the open market to obtain them.
^^This. No one is under any ethical or legal obligation to report their discovered bugs to Apple (as the way it should be).
Legal? You're absolutely right. But if your ethics allow you to say "I know a way to harm many, many people. There's an action I could take, requiring very little time or effort, which could mitigate that. But I choose not to do it unless I get paid." then you're pretty much a piece of shit, ethically speaking.
Re:So, blackmail? (Score:5, Informative)
Re:So, blackmail? (Score:5, Insightful)
Is it ethical for Apple or its customers to expect outsiders to spend hundreds or thousands of man hours finding bugs in their software for free? Apple is certainly rich enough to either pay bounties or to hire an army of security researchers to test their products.
apple didn't expect or require anything from him. he knew before he started that apple doesn't pay bounties for bugs and he still chose to spend his time and effort looking for a bug specifically so he could release it into the wild. he could have spent his time researching software from a company that does pay bounties for bugs.
he's a dick.
Re: (Score:3)
Re: (Score:2)
That doesn't mean I am happy I don't have a new headphone adapter on my Macbook Pro. Oh wait, even their base model has one. Maybe you're talking about the iMac not having a headphone jack. Oh wait... the iMac also has a headphone jack.
So your ire must be that the most portable Apple gadgets -- the iPhone and the iPad -- n
Re: (Score:2)
Re: (Score:2)
You seem very
Re: (Score:2)
Is it ethical for Apple or its customers to expect outsiders to spend hundreds or thousands of man hours finding bugs in their software for free?
Point me to the document / press release where Apple asks outsiders to spend thousands of many hours to find bugs.
Re: (Score:2)
Realistically, they should be doing something to ensure that the wrong people don't find the bugs first. Or at least keep egg from their faces.
Sorry, are you suggesting Apple doesn't do anything to ensure their products don't have bugs or security holes?
Re: (Score:2)
Saying the guy is a dick for revealing the exploit is like saying your neighbour is a dick for leaving a note on your door saying "Stop leaving your front door open, you will get robbed"
Uh no, it's not all like that. It's like your neighbor discovering your door is unlocked and putting a note on everyone door letting them know.
https://slashdot.org/comments.... [slashdot.org]
Re: (Score:3)
Then, when you tell the company about the exploit, and they ignore it for an entire year, what should you do? At some point, you have an obligation to make the exploit public so that the company is forced to deal with it, instead of letting others who discovered it in private exploit it freely. It's why Google has a responsible disclosure policy that involves telling the company privately for a certain amount of time, then a public disclosure a set number of days after.
You are blackmailing by crying blackmail! (Score:3)
Just because you want to blackmail him into giving his work for free to Apple doesn't mean that's the ethical choice. As long as he is not DIRECTLY harming others, his disclosures still fall on the ethical side. You, however, fall on the "troll" side.
Re: (Score:2)
As long as he is not DIRECTLY harming others, his disclosures still fall on the ethical side.
There is no legal or moral argument that supports that line of thinking.
Re: (Score:2)
There is no legal or moral argument that supports that line of thinking.
There is no evidence that you know anything about legal or moral arguments, nor that you are an authority on anything.
Re: (Score:2)
Actually there is. Ever heard of accessory to a crime?
https://en.wikipedia.org/wiki/... [wikipedia.org]
E.g., if I give you the key to someone's house so you can murder them, I'm not innocent. This is such common sense it's hard to believe you are challenging it.
Re: (Score:2)
It really seems you are accusing him of acts he has not performed.
Re: (Score:2)
Well, a fella has to make a living somehow.....
You gotta pay the bills and this kind of work takes time and effort, so.....
Re: (Score:2, Offtopic)
So a heart surgeon shouldn't expect pay? It's just an hour of him time to save a life, after all.
Re: (Score:2)
"I know a way to harm many, many people. There's an action I could take, requiring very little time or effort, which could mitigate that. But I choose not to do it unless I get paid."
I know a way to secure our products. There's an action I could take, requiring a little bit of capital and time, to do that. But I choose to release buggy, insecure shit."
Don't pass the buck downstream. Withholding disclosures is doubly dumb because you don't know who else has found the same flaw.
Re: (Score:2)
Re: (Score:2)
It's generally considered that there is an ethical obligation to report security issues.
It may be illegal to disclose those flaws publicly without notifying the company first. It's almost certainly illegal pretty much everywhere to sell them. "Give me money or I'm going to publish/sell this flaw I discovered" is likewise illegal.
And, to make your point more clear... (Score:2)
A true black hat would be getting whatever they could for the bug on the black market (and silently hurting Apple's customers), rather than taking an action that could (a) help Apple help its customers better long-term (even if there is short term pain) and (b) help other security researchers (who also have to eat, after all) by forcefully pointing out Apple's current policy. If Apple changes the policy to a researcher's liking, that res
Re: (Score:1)
It's NOT a requirement that companies offer bug bounties, just as it's not a requirement that people who find these exploits are required to report them to the company in question.
IKR. It's completely reasonable to compromise the security of hundreds of thousands of users because you didn't get your paycheck.
Re: (Score:2)
Re:So, blackmail? (Score:4, Insightful)
Back in my day, we just tried to follow "responsible disclosure", and reported vulnerabilities because it made the world a safer place.
This kind of stunt undermines that, by making responsible researchers (like me) more easily confused with actual blackmailers.
Re: (Score:2)
The distinction is likely the amount of time invested. I would hazard you stumbled across them or find them via some minor poking which is distinctly different from today where researchers are writing complex software and spending inordinate amounts of time.
Of course the clear answer would be if you're looking to get paid not to bother with vendors that won't compensate you for the time invested.
Re: (Score:2)
Re: (Score:2)
Quite the contrary -- if a flaw exists, someone else is probably already exploiting it.
Re: (Score:2)
I didn't say there was. The unethical mention in my comment was relating to the blackmail aspect.
Re: (Score:2)
Re: (Score:2)
If you think this is "blackmail" I think you have a fundamental misunderstanding of the way blackmail works. You're supposed to *threaten* doing something bad and ask for payment in order to not do the bad thing in order to blackmail someone. Disclosure without the threat or request for payment is just a straight up "fuck you", which is very different (ethically and legally).
Re: (Score:2)
Bug bounty programs are a fucking scam.
They exist only to benefit companies. They get the PR points for "caring" about security, they get the benefit of people doing their job for them for pennies on the dollar, and they get the control they truly crave. If you want that pittance you need to abide by their terms, meaning you've got to expose your real identity and wait for months for a response, and even longer for a fix (if one ever comes). If you change your mind and think it's better to go public, you
What a callous prick. (Score:4, Insightful)
Re: What a callous prick. (Score:4, Informative)
"Even on iOS, where Apple does offer bug bounties, the process for submitting bugs to the company is overly complex and dilatory â" an issue spotlighted in the recent FaceTime spy bug debacle. Researchers have also accused Apple of hiding notices of bug fixes in sneaky ways and of taking too long to address reported issues, even when the security or privacy implications are serious."
Need I say more?
Re: (Score:1)
Don't tell me Apple gives a damn about users if they want charity AND on a silver platter.
Re: (Score:3)
Re: (Score:2)
I wouldn't risk reporting a bug unless there was a bug bounty programme. The risk of them turning around and suing you or calling the cops is too great.
Of course in this case we know Apple doesn't do that so it's not excuse for this guy, but as a general point companies without bug bounties are too risky for many whitehats to go near. Just this week there was a story about some guys who were physically assaulted at a trade show by the CEO of a company they reported a bug too.
RIP OS X (Score:2)
Apple is rather clear without actually saying it. I really doesn't have interest in the Macintosh platform and OS X.
Getting a MacBook Pro or a Powerbook back a decade ago, you really got a high end laptop, and for the Time they were attractive units. OS X based on a real Unix Kernel, gave it unprecedented security and stability, all the features that Linux had, plus a UI more advanced then Windows.
Now OS X is showing its age, the updates on both the hardware and the OS have been lackluster. If I showed you
Updates lately have been great (Score:1)
Now OS X is showing its age, the updates on both the hardware and the OS have been lackluster.
What are you smoking?
The iMac Pro was great. The new Mac mini was fantastic. The newer laptops are really nice, the only issue being some have issues with the keyboard (which they've mostly resolved in newer models).
Mojave has been one of the better updates since they focused on optimization and stability improvements...
If I showed you a 2001 Titanium Powerbook. and the latest Macbook Pro, they will look rather
Re: (Score:2)
Go buy a bright purple Dell laptop then. Mac owner are the people who care about how well something functions, not how it looks.
Too bad you weren't there to tell that to Steve Jobs 20 years ago. You could have helped Apple avoid wasting billions of dollars on Lucite.
Re: (Score:2)
ONLY issue? Please. Soldered-in non-upgradeable RAM and storage are major issues, since Apple charges sodomizing prices for more RAM and/or SSD. A battery that's not easily replaced below the touchpad and keyboard is another issue (it tends to swell, breaking the parts above it). USB-C ports only, check. In the real world, people still need other ports and shouldn't have to carry dongles.
No. Thinkpad owners are the ones that care about function over looks. X and T series beat the socks off of Macbook
Re: (Score:2)
Yeah, I used to use MacBooks Pros and before that PowerBooks, but I've switched to Dell Latitude. This notebook is unglamorous black plastic, but packs in a lot more functionality for the price, has three USB type A ports, gigabit Ethernet, HDMI, and user-replaceable RAM, SSD, battery, and even keyboard and display. No-one who cares about functionality would be using a MacBook at this point.
Re: (Score:2)
They're overpriced and underwhelming, way more than before. I had one of the first intel xeon Mac Pros, and at the time if you tried to build or buy something similar it would be about the same price for the components. Now you're touting the new mac mini as being fantastic?
You can build one for about half the price that's smaller and faster: https://www.youtube.com/watch?... [youtube.com]
Apple computers are not a compelling value.
Re: (Score:3)
They're overpriced and underwhelming, way more than before. I had one of the first intel xeon Mac Pros, and at the time if you tried to build or buy something similar it would be about the same price for the components. Now you're touting the new mac mini as being fantastic?
You can build one for about half the price that's smaller and faster: https://www.youtube.com/watch?... [youtube.com]
FWIW, the Mac Mini was always overpriced, from the first day that the Intel version shipped. Competing on cost was never Apple's strong point, though they were usually within a few percent on high-end models in their base configuration (with no extra RAM or HD upgrades). Their upgrades have almost always historically been more expensive than buying the machine in the base configuration, buying the upgrade outright, and throwing away the parts you took out.
Re: (Score:2)
You can build one for about half the price that's smaller and faster:
The middle third of that video is the presenter going over all the different components that don't quite work right, due to the fact that MacOS/X doesn't support that hardware.
People who buy Macs are willing to spend extra money in exchange for having a computer that "just works". For them, buying a computer that you have to futz with is like buying a pair of jeans that doesn't fit right and has to be hand-altered -- you could do that and save some money, but it's easier to just spend the extra money to ge
Re: (Score:2)
Apple can't afford ...
It is hard to believe someone could write that seriously.
Apple has around $240 billion cash on hand. They could allocate $10 billion to nothing but awards for bug fixes and they wouldn't even feel it. Arguably they could do that every year.
Re:The 2014 MacBook Pro is Ancient (Score:4, Interesting)
Apple has around $240 billion cash on hand. They could allocate $10 billion to nothing but awards for bug fixes and they wouldn't even feel it. Arguably they could do that every year
Yeah, or they could hire enough people to find (and prevent!) the bugs before they reach customers. But clearly, they don't care enough to do that. And the only way to make them care is public disclosure.
No Apple doesn't (Score:2)
Apple has billions of $ invested; it's not sitting in a bank. They have become a Mutual Fund which pays dividends on their stock. They could probably transition into a full blown fund and stop making anything.
Re: (Score:2)
Source: Apple's cash pile hits $285.1 billion, a record [cnbc.com].
Yes I realized from the get-go that it is not all in a single passbook savings at Wells Fargo at 0.82% interest. All the same the assertion that Apple "can't afford" something is just amazing.
Re: (Score:2)
Yes I realized from the get-go that it is not all in a single passbook savings at Wells Fargo at 0.82% interest.
If it was, Wells Fargo would have figured out how to steal it by now.
Re: (Score:1)
People are continuing to use older computers (and phones) because they stopped getting significantly better every few years quite a bit more than 5 years ago. I'm typing this on 2014 MBP because the keyboard doesn't suck (unlike my manager's 2017 MBP, which has had issues despite not being "ancient"), and Apple has not released anything portable with more than 16GB of memory. Don't need a FPS video card or a marginally supported touch bar, but rather memory for VMs connecting to different VPNs (one of the j
Re: (Score:2)
Re: (Score:2)
Seriously, anyone who would reveal such info for vindictive purposes deserves to suffer.
What info?
Fuck this prick.
Stop sucking Apple's.
If he deserves to have his fingers broken for announcing that he has found a severe security problem (but not how to exploit it) what do Apple programmers deserve for creating it with their incompetence? What does Apple management deserve for letting it be created, and for being unwilling to pay bounties, which have been proven effective in getting researchers to disclose bugs to vendors instead of selling them on the black market?
Dubious veracity ... (Score:3)
dump-keychain (Score:5, Interesting)
using:
security dump-keychain -d login.keychain > keychain.txt
in the terminal works rather nicely. this used to do so without authentication for the individual items.
newer versions of macOS now ask for user password before revealing passwords — but for a long time, and for older systems, this works quite nicely.
2cents from slushy toronto
john p
I know a lot of folks are upset at him (Score:5, Informative)
1) He hasn't released how to actually exploit it.
2) This is a five, maybe six, figure bug on the black market.
3) He's simply saying 'Hey, wake up, you're doing a giant disservice to all your users by pushing people to the black market.'
Re: (Score:2)
The way he went about this shows that the guy is already ethically compromised.
Re: (Score:2)
1) Rhetorical, clearly.
2) I think his odds of harm coming to him are less than a vehicle involved accident.
3) No.
Re: (Score:2)
2) You said yourself that it's six figure exploit. You can have someone killed in the low fives.
3) If it's a six figure exploit why wouldn't he be receiving credible offers?
Re: (Score:3)
Re: (Score:2)
In what way does killing him help reveal his exploit? That makes zero sense in this case.
You're right, it doesn't, but I've watched enough TV shows to imagine someone deciding to provide him with a little "wrench therapy" until he agrees to cough up the exploit to them.
Not that I think that's really likely either -- life isn't like a TV plot. But it's conceivable.
Re:I know a lot of folks are upset at him (Score:4, Insightful)
If he uses this to, say, recover $145M in cryptocurrency from a laptop, then I'm sure he will do well...
How is this not Black Hat? (Score:5, Insightful)
1. Posting a YouTube video showing a purported P1, 0day security exploit.
2. Not releasing any information on how to reproduce or resolve their expoit.
3. Holding out for Apple to pay a "bug bounty" (read: ransom)
We're through the looking glass is this is what qualifies as "security research" nowadays.
Re: (Score:1)
In "protest of a lack of bug bounties" this individual is:
1. Posting a YouTube video showing a purported P1, 0day security exploit.
2. Not releasing any information on how to reproduce or resolve their expoit.
3. Holding out for Apple to pay a "bug bounty" (read: ransom)
We're through the looking glass is this is what qualifies as "security research" nowadays.
Don't hate the player, hate the game.
Congress decided companies can disclaim liability for most security vulnerabilities.
Economically then, there is no incentive to fix those vulnerabilities.
Somebody decided to play by the rules as they stand now, and you're crying foul.
Hate the game? Then change the rules.
Re: (Score:2)
Credible researcher? (Score:5, Insightful)
White hats were reporting exploits long before you could make money with it, the money is not some inherent right. The guy is not a white hat, he's an asshat.
One button? I call BS. No way. (Score:2)
I have pressed every button on a Mac at least once and none show passwords. Do I have to type in a command line and then hit one button? In which case I can also create a complete post like this one with just one button.
A quick change of reputation! (Score:2)
Zero to hero in quick time!
Re: (Score:2)
Mac Attack (Score:2)
one step removed from 'digital extortion' (Score:2)
I'd like to see a law requiring disclosure of vulnerabilities with penalties for non-compliance.
But first, I want a law that makes companies liable for bugs and vulnerabilities, i.e. one that outlaws most of the terms in shrink-wrap licenses. When companies actually pay damages, they'll start being A Lot More Careful.
Re: (Score:3)
Good, cheap, fast: pick any two. If you assume good = careful, then either the software will be cheap, but slow between releases; or fast but expensive. Most consumers prefer cheap. One problem with cheap but slow is that companies need to be able to pay their employees between releases.
Ahhh...Wait What? (Score:1)
white hat? (Score:2)
since when do white hats do something for money.
there have been white hats who made security issues public before fixed were available, sure, but most of the time after working (or trying to work) for months with the company in questions and finally hitting a dead end. you use it as a last resort.