Apple finally got its way over a zero-day bug last week, but only due to a cybersecurity researcher’s change of heart.
On February 3, security researcher Linus Henze demonstrated a security bug in Mac OS that he said enabled him to access passwords and use information stored in the operating system’s Keychain. Keychain is Apple’s password manager, and users access it via the Keychain Access application in OS X. It stores more than just passwords; Mac users can also store secure notes and digital certificates in it.
Normally, Keychain Access requires a login password to access this information, but the one-click exploit that Henze discovered, nicknamed Keysteal, dumped all the information in plain text without needing root access or administrative privileges.
On February 5, Apple reportedly contacted him asking for details of the exploit. He publicly explained that he wouldn’t reveal the details because Apple didn’t offer a bug bounty program for OS X:
On Tuesday @Apple contacted me and asked me if I would send them the details about my exploit. I told them that I would if they accept my offer. However, I’ve got no response from them. Today I wrote them again. Attached is an image of what I wrote. pic.twitter.com/GcNv8VQISH
— Linus Henze (@LinusHenze) 8 February 2019
Apple’s position here is strange. The company has offered a bug bounty program for iOS since launching it at Black Hat in 2016. At the time, the company promised to pay up to $200,000 for bug bounties of the right quality.
Since then, though, the secretive program, originally offered by invitation only, has drawn criticism for low payouts. In a 2017 report, Motherboard found several security researchers arguing that iOS bugs were simply too valuable to report to Apple. If they were doing it purely for the money, they explained, they could fetch far higher prices by selling it via zero-day markets.
Researcher Ian Beer also publicly called out Apple CEO Tim Cook, arguing that the company hasn’t been paying him for bug countries.
Apple doesn’t offer a bug bounty for OS X at all, which is what angered Henze. Even so, he changed his mind over the weekend:
I’ve decided to submit my keychain exploit to @Apple, even though they did not react, as it is very critical and because the security of macOS users is important to me. I’ve sent them the full details including a patch. For free of course.
— Linus Henze (@LinusHenze) 28 February 2019
That’s bighearted of him, but it doesn't solve the bigger problem: some companies simply aren’t paying enough for security flaws. For every Henze, there are likely multiple security researchers who would prefer to take money from zero-day markets than vendors.
This is an issue that has arisen before. Bug researcher Charlie Miller launched a campaign at CanSecWest in 2009 entitled ‘no more free bugs.’ He, too, was irritated at vendors’ tendency to dismiss bug reports or palm off researchers with little more than an acknowledgement and perhaps a free T-shirt.
Things are changing thanks to professional bug bounty programs operated by companies like Hacker One, but we still have a long way to go. Apple’s stonewalling in the face of Henze's report shows that all too clearly.
The topic of Threats, Exploits and Vulnerabilities will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Threats, Exploits and Vulnerabilities here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
