Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
DrMacintosh

Researcher demos new macOS Keychain exploit, holds data from Apple

Recommended Posts

Quote

A security researcher has revealed a new exploit in Keychain.app (a password and credential managment software introduced in macOS 9) but is opting to keep the details of this exploit hidden from Apple. 

Basically a definition of an opportunistic asshole. The kind most despised by actual security researchers. The usual codex is that you report the exploit to the vendor 3-6 months in advance before making it public, so they have time to address it without making things a problem to the end users.

Link to post
Share on other sites
15 minutes ago, RejZoR said:

Basically a definition of an opportunistic asshole. The kind most despised by actual security researchers. The usual codex is that you report the exploit to the vendor 3-6 months in advance before making it public, so they have time to address it without making things a problem to the end users.

from op

The analyst claims to be withholding details of the exploit from Apple, citing that the Bug Bounty Program does not include macOS exploits (which in my opinion it should).

 

they want to get paid

time is money

 

Link to post
Share on other sites
On 2/8/2019 at 9:33 AM, Drak3 said:

Having passwords stored on anything other than local machines is something you should never do.

Gotta agree with this. My dad recently added me to his family sharing on the iCloud. Unfortunately this meant that I get access to his password (and him mine), so stuff like bank account details etc crossed over too. I find it silly that you can't have separate permissions for bank details etc, 

Link to post
Share on other sites
3 hours ago, RejZoR said:

Basically a definition of an opportunistic asshole. The kind most despised by actual security researchers. The usual codex is that you report the exploit to the vendor 3-6 months in advance before making it public, so they have time to address it without making things a problem to the end users.

He hasn't disclosed the bug. I see nothing wrong with witholding a bug if they're not willing to pay anything. Disclosing it is something else.


PSU Tier List | CoC

Gaming Build | FreeNAS Server

Spoiler

i5-4690k || Seidon 240m || GTX780 ACX || MSI Z97s SLI Plus || 8GB 2400mhz || 250GB 840 Evo || 1TB WD Blue || H440 (Black/Blue) || Windows 10 Pro || Dell P2414H & BenQ XL2411Z || Ducky Shine Mini || Logitech G502 Proteus Core

Spoiler

FreeNAS 9.3 - Stable || Xeon E3 1230v2 || Supermicro X9SCM-F || 32GB Crucial ECC DDR3 || 3x4TB WD Red (JBOD) || SYBA SI-PEX40064 sata controller || Corsair CX500m || NZXT Source 210.

Link to post
Share on other sites
On 2/7/2019 at 3:34 PM, DrMacintosh said:

Despite the fact that storing those passwords locally.....caused this security vulnerability? 

Even though I have little to no experience in working in the Network Security sector, I do have an associates degree in it, and the thought of storing passwords remotely, slightly horrifies me.

 

I assume iCloud uses encryption of some kind? Please say yes.


Computer's don't make errors. What they do, they do on purpose. By now your name and particulars have been fed into every laptop, desktop, mainframe and supermarket scanner that collectively make up the global information conspiracy, otherwise known as The Beast.

 

You just be careful. Computers have already beaten the Communists at chess. Next thing you know, they'll be beating humans.

Link to post
Share on other sites

 

8 minutes ago, Trik'Stari said:

I assume iCloud uses encryption of some kind? Please say yes.

Very much so yes.


PSU Tier List | CoC

Gaming Build | FreeNAS Server

Spoiler

i5-4690k || Seidon 240m || GTX780 ACX || MSI Z97s SLI Plus || 8GB 2400mhz || 250GB 840 Evo || 1TB WD Blue || H440 (Black/Blue) || Windows 10 Pro || Dell P2414H & BenQ XL2411Z || Ducky Shine Mini || Logitech G502 Proteus Core

Spoiler

FreeNAS 9.3 - Stable || Xeon E3 1230v2 || Supermicro X9SCM-F || 32GB Crucial ECC DDR3 || 3x4TB WD Red (JBOD) || SYBA SI-PEX40064 sata controller || Corsair CX500m || NZXT Source 210.

Link to post
Share on other sites
Posted · Original PosterOP
35 minutes ago, Trik'Stari said:

I assume iCloud uses encryption of some kind? Please say yes.

Its exactly why iCloud Keychain passwords are not effected by a local exploit. 


Laptop: 2016 13" nTB MacBook Pro Core i5 | Phone: iPhone 6s Plus 64GB Wearables: Apple Watch Sport Series 2 CPU: R5 2600 | Mobo: ASRock B450M Pro4 | RAM: 8GB 2666 | GPU: Sapphire Nitro+ RX 580 4GB | Case: Apple PowerMac G5 | OS: Win 10 | Storage: 480GB PNY SSD & 2TB WD Green HDD | PSU: Corsair CX600M | Display: Dell UZ2215H 21.5" 1080p, ViewSonic VX2450wm-LED 23.6" 1080p, Samsung SyncMaster 940BX 19" 1024p | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G303 | Audio: Audio Technica ATH-M50X & Blue Snowball

 

Link to post
Share on other sites
11 minutes ago, DrMacintosh said:

Its exactly why iCloud Keychain passwords are not effected by a local exploit. 

As long as that shit's well encrypted, that's fine.


Computer's don't make errors. What they do, they do on purpose. By now your name and particulars have been fed into every laptop, desktop, mainframe and supermarket scanner that collectively make up the global information conspiracy, otherwise known as The Beast.

 

You just be careful. Computers have already beaten the Communists at chess. Next thing you know, they'll be beating humans.

Link to post
Share on other sites

The researcher is in no position to reveal the details of the exploit just like apple is in no position to pay him.

 

Seems to me that if both sides want to benefit they should work out a deal.


What does windows 10 and ET have in common?

 

They are both constantly trying to phone home.

Link to post
Share on other sites

I get that the researcher wants to get paid. I agree with the fact that the Bug Bounty should indeed include macOS (and all other Apple software).

 

With that in mind? Fuck you for holding onto the details. Yes, the details haven't been publicly disclosed yet. And yes, as far as we know, it's not in the wild yet.

 

But that's one hell of an assumption. Just because there's no confirmed cases of using the exploit does not mean that it isn't out there. We have absolutely no idea. And because this deals with passwords (granted, even if the risk isn't particularly high to normal users who use iCloud)? Fuck you. Give Apple the damn details.

 

Sure, try and negotiate payment (especially if you set a deadline for public release). But if Apple doesn't give you the money? Try Patreon or GoFundMe. It'll make you less of a selfish asshole.


For Sale (lots of stuff):

Spoiler

[FS] [CAD] Various things

 

 

* Intel i7-4770K * ASRock Z97 Anniversary * 16GB RAM * 750w Seasonic Modular PSU *

* Crucial M4 128GB SSD (Primary) * Hitachi 500GB HDD (Secondary) *

* Gigabyte HD 7950 WF3 * SATA Blu-Ray Writer * Logitech g710+ * Windows 10 Pro x64 *

 

Link to post
Share on other sites
4 hours ago, dalekphalm said:

I get that the researcher wants to get paid. I agree with the fact that the Bug Bounty should indeed include macOS (and all other Apple software).

 

With that in mind? Fuck you for holding onto the details. Yes, the details haven't been publicly disclosed yet. And yes, as far as we know, it's not in the wild yet.

 

But that's one hell of an assumption. Just because there's no confirmed cases of using the exploit does not mean that it isn't out there. We have absolutely no idea. And because this deals with passwords (granted, even if the risk isn't particularly high to normal users who use iCloud)? Fuck you. Give Apple the damn details.

 

Sure, try and negotiate payment (especially if you set a deadline for public release). But if Apple doesn't give you the money? Try Patreon or GoFundMe. It'll make you less of a selfish asshole.

an eye for an eye

 


One day I will be able to play Monster Hunter Frontier in French/Italian/English on my PC, it's just a matter of time... 4 5 6 7 8 9 years later: It's finally coming!!!

Phones: iPhone 4S/SE | LG V10 | Lumia 920

Laptops: Macbook Pro 15" (mid-2012) | Compaq Presario V6000

Link to post
Share on other sites
On 2/7/2019 at 1:34 PM, DrMacintosh said:

Despite the fact that storing those passwords locally.....caused this security vulnerability? 

I agree with him. Password should never be stored online. Online accounts can be and often are hacked... Local computers, on the other hand, are rarely the target for serious hackers. Most home networks don't even have ports open to the internet so it'd be near impossible to hack them. 

Link to post
Share on other sites
2 hours ago, corrado33 said:

I agree with him. Password should never be stored online. Online accounts can be and often are hacked... Local computers, on the other hand, are rarely the target for serious hackers. Most home networks don't even have ports open to the internet so it'd be near impossible to hack them. 

Except malware that scrubbs drives and reads all and everything that might resemble a password or username, often specifically targeting password storage containers...

Link to post
Share on other sites
10 hours ago, suicidalfranco said:

an eye for an eye

 

That's a rather petty response - just like the researcher.

 

As a consumer - I don't give a shit if Apple doesn't share their malware signatures (they should, mind you). I care that a person knows full details of an exploit, yet refuses to even let Apple look at the details.

 

That person, in my mind, is no better than a blackhat hacker that is essentially asking for ransom.

 

I get that a lot of these researchers rely on bug bounties, but presumably they already know which software qualifies for a bounty and which don't. Don't want to do free work? Don't research software that doesn't offer a bounty.

 

As soon as he discovered the exploit and was able to document it, he should have sent that to Apple.


For Sale (lots of stuff):

Spoiler

[FS] [CAD] Various things

 

 

* Intel i7-4770K * ASRock Z97 Anniversary * 16GB RAM * 750w Seasonic Modular PSU *

* Crucial M4 128GB SSD (Primary) * Hitachi 500GB HDD (Secondary) *

* Gigabyte HD 7950 WF3 * SATA Blu-Ray Writer * Logitech g710+ * Windows 10 Pro x64 *

 

Link to post
Share on other sites
1 hour ago, dalekphalm said:

That's a rather petty response - just like the researcher.

 

As a consumer - I don't give a shit if Apple doesn't share their malware signatures (they should, mind you). I care that a person knows full details of an exploit, yet refuses to even let Apple look at the details.

 

That person, in my mind, is no better than a blackhat hacker that is essentially asking for ransom.

 

I get that a lot of these researchers rely on bug bounties, but presumably they already know which software qualifies for a bounty and which don't. Don't want to do free work? Don't research software that doesn't offer a bounty.

 

As soon as he discovered the exploit and was able to document it, he should have sent that to Apple.

I disagree. I'd only have a problem if he discloses it to the public if Apple refuses to pay. As long as he's just keeping it to himself until they're willing to pay (or forever if they never do), then it's fine imo. 

 

He shouldn't have to work for free, even if he knew there was no big bounty when doing the work.


PSU Tier List | CoC

Gaming Build | FreeNAS Server

Spoiler

i5-4690k || Seidon 240m || GTX780 ACX || MSI Z97s SLI Plus || 8GB 2400mhz || 250GB 840 Evo || 1TB WD Blue || H440 (Black/Blue) || Windows 10 Pro || Dell P2414H & BenQ XL2411Z || Ducky Shine Mini || Logitech G502 Proteus Core

Spoiler

FreeNAS 9.3 - Stable || Xeon E3 1230v2 || Supermicro X9SCM-F || 32GB Crucial ECC DDR3 || 3x4TB WD Red (JBOD) || SYBA SI-PEX40064 sata controller || Corsair CX500m || NZXT Source 210.

Link to post
Share on other sites
9 hours ago, RejZoR said:

Except malware that scrubbs drives and reads all and everything that might resemble a password or username, often specifically targeting password storage containers...

Which wont happen if you are not a complete moron and dont click on anything without thinking(no to mention same malware can scrub for online managers and get the password from those too).

Edited by jagdtigger
Link to post
Share on other sites
10 hours ago, RejZoR said:

Except malware that scrubbs drives and reads all and everything that might resemble a password or username, often specifically targeting password storage containers...

Good luck, my password manager stores all of the passwords in a container that's encrypted with AES-GCM-256 encryption. :)

Link to post
Share on other sites
On 2/7/2019 at 3:34 PM, DrMacintosh said:

Despite the fact that storing those passwords locally.....caused this security vulnerability? 

yeah but you need local access to the machine to be able to extract them. If your passwords are in the cloud, they are open to anyone in the world, if there is a security breach.

 

IMO storing passwords locally is a lot safer.


Best Gaming Podcasts on the internet! Check out Orange Lounge Radio Live on Twitch;  Sunday nights at 6PM ET / 9PM PT:

https://www.twitch.tv/vognetwork

 

Link to post
Share on other sites
6 minutes ago, maartendc said:

yeah but you need local access to the machine to be able to extract them. If your passwords are in the cloud, they are open to anyone in the world, if there is a security breach.

 

IMO storing passwords locally is a lot safer.

It's safer if they're competently stored locally. If they're not (which would apply to most users), then locally in plain text vs encrypted in iCloud....I'd take my chances with iCloud.


PSU Tier List | CoC

Gaming Build | FreeNAS Server

Spoiler

i5-4690k || Seidon 240m || GTX780 ACX || MSI Z97s SLI Plus || 8GB 2400mhz || 250GB 840 Evo || 1TB WD Blue || H440 (Black/Blue) || Windows 10 Pro || Dell P2414H & BenQ XL2411Z || Ducky Shine Mini || Logitech G502 Proteus Core

Spoiler

FreeNAS 9.3 - Stable || Xeon E3 1230v2 || Supermicro X9SCM-F || 32GB Crucial ECC DDR3 || 3x4TB WD Red (JBOD) || SYBA SI-PEX40064 sata controller || Corsair CX500m || NZXT Source 210.

Link to post
Share on other sites
14 hours ago, 79wjd said:

He shouldn't have to work for free, even if he knew there was no big bounty when doing the work.

so if i volunteer somewhere, so know i won't get paid can i sue the place where i worked and demand money? no. i can't.

 

this is the same thing. he worked to find the bug knowing there was no reward.


DISCLAIMER: ANYTHING I SAY COULD BE WRONG. DO YOUR OWN RESEARCH! 

Have a look at my set up your linux gaming pc from start to finish topic if you want to get started with linux :) 

My laptop: MacBook Pro 15" Late 2011 (dGPU disabled): I7 2675QM | HD3000 | 500GB SSD | 16GB RAM | macOS

Link to post
Share on other sites
51 minutes ago, firelighter487 said:

so if i volunteer somewhere, so know i won't get paid can i sue the place where i worked and demand money? no. i can't.

 

this is the same thing. he worked to find the bug knowing there was no reward.

not too sure that analogy works as well as you want it to.

 

This researcher has given Apple enough information that they can either work out the exploit themselves or pay him for his work finding it, either way he is not demanding money in exchange for not releasing it publicly so he is neither blackmailing nor holding anyone to ransom.


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Link to post
Share on other sites
6 hours ago, mr moose said:

not too sure that analogy works as well as you want it to.

 

This researcher has given Apple enough information that they can either work out the exploit themselves or pay him for his work finding it, either way he is not demanding money in exchange for not releasing it publicly so he is neither blackmailing nor holding anyone to ransom.

How do you know they've given Apple enough information? Certainly they could probably make some educated guesses, and eventually reverse engineer his exploit.

 

But it doesn't matter that he's not threatening to make it public - that would certainly be worse (and probably straight up illegal), but what he's doing is still wrong.

 

We're essentially just taking the chance that he's the only one who's found it yet. He knew he wasn't gonna get paid before he even started the research. It might make sense for him to withhold the info, but it's not in the public interest. If he had the public interest in mind, he'd just give Apple the info, and work out money stuff later (and take the risk that he might not get paid).


For Sale (lots of stuff):

Spoiler

[FS] [CAD] Various things

 

 

* Intel i7-4770K * ASRock Z97 Anniversary * 16GB RAM * 750w Seasonic Modular PSU *

* Crucial M4 128GB SSD (Primary) * Hitachi 500GB HDD (Secondary) *

* Gigabyte HD 7950 WF3 * SATA Blu-Ray Writer * Logitech g710+ * Windows 10 Pro x64 *

 

Link to post
Share on other sites
40 minutes ago, dalekphalm said:

How do you know they've given Apple enough information? Certainly they could probably make some educated guesses, and eventually reverse engineer his exploit.

 

But it doesn't matter that he's not threatening to make it public - that would certainly be worse (and probably straight up illegal), but what he's doing is still wrong.

 

We're essentially just taking the chance that he's the only one who's found it yet. He knew he wasn't gonna get paid before he even started the research. It might make sense for him to withhold the info, but it's not in the public interest. If he had the public interest in mind, he'd just give Apple the info, and work out money stuff later (and take the risk that he might not get paid).

You're right, he would do that if he had the public's interest at heart. But, aside from being nice, why should he? I don't see any issue on any level with someone who doesn't put the welfare of the general population above himself. 


PSU Tier List | CoC

Gaming Build | FreeNAS Server

Spoiler

i5-4690k || Seidon 240m || GTX780 ACX || MSI Z97s SLI Plus || 8GB 2400mhz || 250GB 840 Evo || 1TB WD Blue || H440 (Black/Blue) || Windows 10 Pro || Dell P2414H & BenQ XL2411Z || Ducky Shine Mini || Logitech G502 Proteus Core

Spoiler

FreeNAS 9.3 - Stable || Xeon E3 1230v2 || Supermicro X9SCM-F || 32GB Crucial ECC DDR3 || 3x4TB WD Red (JBOD) || SYBA SI-PEX40064 sata controller || Corsair CX500m || NZXT Source 210.

Link to post
Share on other sites
21 minutes ago, 79wjd said:

You're right, he would do that if he had the public's interest at heart. But, aside from being nice, why should he? I don't see any issue on any level with someone who doesn't put the welfare of the general population above himself. 

Sure but that someone then shouldn't go out of their way to do the work they know they won't get paid for, that then uncovers a threat to the general public.

 

He knew he wasn't going to get paid. And now he's holding that data to himself (essentially holding it hostage). His only saving grace is that there's no confirmed instance of the exploit in the wild yet. As if that realistically matters.

 

It's okay for him to hold the data hostage but only so long as nothing horrible happens? Seriously flawed logic.

 

He's obviously more than welcome to be an asshole and keep the data to himself - just as I have the right to call him an asshole for doing so.


For Sale (lots of stuff):

Spoiler

[FS] [CAD] Various things

 

 

* Intel i7-4770K * ASRock Z97 Anniversary * 16GB RAM * 750w Seasonic Modular PSU *

* Crucial M4 128GB SSD (Primary) * Hitachi 500GB HDD (Secondary) *

* Gigabyte HD 7950 WF3 * SATA Blu-Ray Writer * Logitech g710+ * Windows 10 Pro x64 *

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×