Researcher demos new macOS Keychain exploit, holds data from Apple

[RejZoR]

Quote

A security researcher has revealed a new exploit in Keychain.app (a password and credential managment software introduced in macOS 9) but is opting to keep the details of this exploit hidden from Apple. 

Basically a definition of an opportunistic asshole. The kind most despised by actual security researchers. The usual codex is that you report the exploit to the vendor 3-6 months in advance before making it public, so they have time to address it without making things a problem to the end users.

[pas008]

15 minutes ago, RejZoR said:

Basically a definition of an opportunistic asshole. The kind most despised by actual security researchers. The usual codex is that you report the exploit to the vendor 3-6 months in advance before making it public, so they have time to address it without making things a problem to the end users.

from op

The analyst claims to be withholding details of the exploit from Apple, citing that the Bug Bounty Program does not include macOS exploits (which in my opinion it should).

 

they want to get paid

time is money

 

[Guest]

On 2/8/2019 at 9:33 AM, Drak3 said:

Having passwords stored on anything other than local machines is something you should never do.

Gotta agree with this. My dad recently added me to his family sharing on the iCloud. Unfortunately this meant that I get access to his password (and him mine), so stuff like bank account details etc crossed over too. I find it silly that you can't have separate permissions for bank details etc, 

[79wjd]

3 hours ago, RejZoR said:

Basically a definition of an opportunistic asshole. The kind most despised by actual security researchers. The usual codex is that you report the exploit to the vendor 3-6 months in advance before making it public, so they have time to address it without making things a problem to the end users.

He hasn't disclosed the bug. I see nothing wrong with witholding a bug if they're not willing to pay anything. Disclosing it is something else.

[imreloadin]

It's almost like comeuppance for Apple...

 

[Trik'Stari]

On 2/7/2019 at 3:34 PM, DrMacintosh said:

Despite the fact that storing those passwords locally.....caused this security vulnerability? 

Even though I have little to no experience in working in the Network Security sector, I do have an associates degree in it, and the thought of storing passwords remotely, slightly horrifies me.

 

I assume iCloud uses encryption of some kind? Please say yes.

[79wjd]

 

8 minutes ago, Trik'Stari said:

I assume iCloud uses encryption of some kind? Please say yes.

Very much so yes.

[DrMacintosh]

35 minutes ago, Trik'Stari said:

I assume iCloud uses encryption of some kind? Please say yes.

Its exactly why iCloud Keychain passwords are not effected by a local exploit. 

[Trik'Stari]

11 minutes ago, DrMacintosh said:

Its exactly why iCloud Keychain passwords are not effected by a local exploit. 

As long as that shit's well encrypted, that's fine.

[Hellion]

The researcher is in no position to reveal the details of the exploit just like apple is in no position to pay him.

 

Seems to me that if both sides want to benefit they should work out a deal.

[dalekphalm]

I get that the researcher wants to get paid. I agree with the fact that the Bug Bounty should indeed include macOS (and all other Apple software).

 

With that in mind? Fuck you for holding onto the details. Yes, the details haven't been publicly disclosed yet. And yes, as far as we know, it's not in the wild yet.

 

But that's one hell of an assumption. Just because there's no confirmed cases of using the exploit does not mean that it isn't out there. We have absolutely no idea. And because this deals with passwords (granted, even if the risk isn't particularly high to normal users who use iCloud)? Fuck you. Give Apple the damn details.

 

Sure, try and negotiate payment (especially if you set a deadline for public release). But if Apple doesn't give you the money? Try Patreon or GoFundMe. It'll make you less of a selfish asshole.

[suicidalfranco]

4 hours ago, dalekphalm said:

I get that the researcher wants to get paid. I agree with the fact that the Bug Bounty should indeed include macOS (and all other Apple software).

 

With that in mind? Fuck you for holding onto the details. Yes, the details haven't been publicly disclosed yet. And yes, as far as we know, it's not in the wild yet.

 

But that's one hell of an assumption. Just because there's no confirmed cases of using the exploit does not mean that it isn't out there. We have absolutely no idea. And because this deals with passwords (granted, even if the risk isn't particularly high to normal users who use iCloud)? Fuck you. Give Apple the damn details.

 

Sure, try and negotiate payment (especially if you set a deadline for public release). But if Apple doesn't give you the money? Try Patreon or GoFundMe. It'll make you less of a selfish asshole.

an eye for an eye

 

[corrado33]

On 2/7/2019 at 1:34 PM, DrMacintosh said:

Despite the fact that storing those passwords locally.....caused this security vulnerability? 

I agree with him. Password should never be stored online. Online accounts can be and often are hacked... Local computers, on the other hand, are rarely the target for serious hackers. Most home networks don't even have ports open to the internet so it'd be near impossible to hack them. 

[RejZoR]

2 hours ago, corrado33 said:

I agree with him. Password should never be stored online. Online accounts can be and often are hacked... Local computers, on the other hand, are rarely the target for serious hackers. Most home networks don't even have ports open to the internet so it'd be near impossible to hack them. 

Except malware that scrubbs drives and reads all and everything that might resemble a password or username, often specifically targeting password storage containers...

[dalekphalm]

10 hours ago, suicidalfranco said:

an eye for an eye

 

That's a rather petty response - just like the researcher.

 

As a consumer - I don't give a shit if Apple doesn't share their malware signatures (they should, mind you). I care that a person knows full details of an exploit, yet refuses to even let Apple look at the details.

 

That person, in my mind, is no better than a blackhat hacker that is essentially asking for ransom.

 

I get that a lot of these researchers rely on bug bounties, but presumably they already know which software qualifies for a bounty and which don't. Don't want to do free work? Don't research software that doesn't offer a bounty.

 

As soon as he discovered the exploit and was able to document it, he should have sent that to Apple.

[79wjd]

1 hour ago, dalekphalm said:

That's a rather petty response - just like the researcher.

 

As a consumer - I don't give a shit if Apple doesn't share their malware signatures (they should, mind you). I care that a person knows full details of an exploit, yet refuses to even let Apple look at the details.

 

That person, in my mind, is no better than a blackhat hacker that is essentially asking for ransom.

 

I get that a lot of these researchers rely on bug bounties, but presumably they already know which software qualifies for a bounty and which don't. Don't want to do free work? Don't research software that doesn't offer a bounty.

 

As soon as he discovered the exploit and was able to document it, he should have sent that to Apple.

I disagree. I'd only have a problem if he discloses it to the public if Apple refuses to pay. As long as he's just keeping it to himself until they're willing to pay (or forever if they never do), then it's fine imo. 

 

He shouldn't have to work for free, even if he knew there was no big bounty when doing the work.

[jagdtigger]

9 hours ago, RejZoR said:

Except malware that scrubbs drives and reads all and everything that might resemble a password or username, often specifically targeting password storage containers...

Which wont happen if you are not a complete moron and dont click on anything without thinking(no to mention same malware can scrub for online managers and get the password from those too).

Edited February 11, 2019 by jagdtigger

[corrado33]

10 hours ago, RejZoR said:

Except malware that scrubbs drives and reads all and everything that might resemble a password or username, often specifically targeting password storage containers...

Good luck, my password manager stores all of the passwords in a container that's encrypted with AES-GCM-256 encryption.

[maartendc]

On 2/7/2019 at 3:34 PM, DrMacintosh said:

Despite the fact that storing those passwords locally.....caused this security vulnerability? 

yeah but you need local access to the machine to be able to extract them. If your passwords are in the cloud, they are open to anyone in the world, if there is a security breach.

 

IMO storing passwords locally is a lot safer.

[79wjd]

6 minutes ago, maartendc said:

yeah but you need local access to the machine to be able to extract them. If your passwords are in the cloud, they are open to anyone in the world, if there is a security breach.

 

IMO storing passwords locally is a lot safer.

It's safer if they're competently stored locally. If they're not (which would apply to most users), then locally in plain text vs encrypted in iCloud....I'd take my chances with iCloud.

[Ashley MLP Fangirl]

14 hours ago, 79wjd said:

He shouldn't have to work for free, even if he knew there was no big bounty when doing the work.

so if i volunteer somewhere, so know i won't get paid can i sue the place where i worked and demand money? no. i can't.

 

this is the same thing. he worked to find the bug knowing there was no reward.

[mr moose]

51 minutes ago, firelighter487 said:

so if i volunteer somewhere, so know i won't get paid can i sue the place where i worked and demand money? no. i can't.

 

this is the same thing. he worked to find the bug knowing there was no reward.

not too sure that analogy works as well as you want it to.

 

This researcher has given Apple enough information that they can either work out the exploit themselves or pay him for his work finding it, either way he is not demanding money in exchange for not releasing it publicly so he is neither blackmailing nor holding anyone to ransom.

[dalekphalm]

6 hours ago, mr moose said:

not too sure that analogy works as well as you want it to.

 

This researcher has given Apple enough information that they can either work out the exploit themselves or pay him for his work finding it, either way he is not demanding money in exchange for not releasing it publicly so he is neither blackmailing nor holding anyone to ransom.

How do you know they've given Apple enough information? Certainly they could probably make some educated guesses, and eventually reverse engineer his exploit.

 

But it doesn't matter that he's not threatening to make it public - that would certainly be worse (and probably straight up illegal), but what he's doing is still wrong.

 

We're essentially just taking the chance that he's the only one who's found it yet. He knew he wasn't gonna get paid before he even started the research. It might make sense for him to withhold the info, but it's not in the public interest. If he had the public interest in mind, he'd just give Apple the info, and work out money stuff later (and take the risk that he might not get paid).

[79wjd]

40 minutes ago, dalekphalm said:

How do you know they've given Apple enough information? Certainly they could probably make some educated guesses, and eventually reverse engineer his exploit.

 

But it doesn't matter that he's not threatening to make it public - that would certainly be worse (and probably straight up illegal), but what he's doing is still wrong.

 

We're essentially just taking the chance that he's the only one who's found it yet. He knew he wasn't gonna get paid before he even started the research. It might make sense for him to withhold the info, but it's not in the public interest. If he had the public interest in mind, he'd just give Apple the info, and work out money stuff later (and take the risk that he might not get paid).

You're right, he would do that if he had the public's interest at heart. But, aside from being nice, why should he? I don't see any issue on any level with someone who doesn't put the welfare of the general population above himself. 

[dalekphalm]

21 minutes ago, 79wjd said:

You're right, he would do that if he had the public's interest at heart. But, aside from being nice, why should he? I don't see any issue on any level with someone who doesn't put the welfare of the general population above himself. 

Sure but that someone then shouldn't go out of their way to do the work they know they won't get paid for, that then uncovers a threat to the general public.

 

He knew he wasn't going to get paid. And now he's holding that data to himself (essentially holding it hostage). His only saving grace is that there's no confirmed instance of the exploit in the wild yet. As if that realistically matters.

 

It's okay for him to hold the data hostage but only so long as nothing horrible happens? Seriously flawed logic.

 

He's obviously more than welcome to be an asshole and keep the data to himself - just as I have the right to call him an asshole for doing so.