Thursday, February 7, 2019

KeySteal Mac Keychain Exploit

Benjamin Mayo:

Security researcher Linuz Henze has shared a video demonstration of what is claimed to be a macOS Mojave exploit to access passwords stored in the Keychain. However, he has said he is not sharing his findings with Apple out of protest.

Henze has publicly shared legitimate iOS vulnerabilities in the past, so he has a track record of credibility.

However, Henze is frustrated that Apple’s bug bounty program only applies to iOS, not macOS, and has decided not to release more information about his latest Keychain invasion.

Why doesn’t Apple have a bug bounty program for macOS?

Rene Ritchie:

Garbage. Disclose to Apple to help protect users then use the follow up to push for when (not if) the bounty program is launching.

There absolutely should be one and yesterday but don’t hold users hostage for your entitlement.

(Especially if you’ve previously dropped 0days…)

Dave DeLong:

Eh, mixed feelings. Civil disobedience is a well-established form of protest, and @apple tends to gloss over Mac stuff publicly, because it’s minuscule compared to iOS

And until he releases the exploit, there are no “hostages”. This isn’t blackmail.

Patrick Wardle:

Got to play with @LinusHenze’s ‘KeySteal’. It’s a lovely bug & exploit

✅ works on macOS 10.14.3
✅ his payload dumps passwords, private keys, & tokens

Protect yourself by:

🔐manually locking your keychain
🔐or setting a keychain-specific password

Lorenzo Franceschi-Bicchierai (Hacker News):

On Wednesday, after a talk at the Black Hat security conference in Las Vegas, Beer tweeted a message to Apple’s CEO Tim Cook, challenging him to pay for each bug he has reported since 2016, and asking him to donate $2.45 million to to human rights group Amnesty International.

[…]

Apple’s bug bounty program had a lackluster start last year. As Motherboard reported at the time, the majority of independent iOS security researchers had not submitted any bugs to Apple as part of the bug bounty, mostly because doing so would hinder future research and was just not worth the trouble, given that those exploits can be sold for much more money in the gray market of exploit brokers.

Previously: Apple Security.

Update (2019-02-08): Benjamin Mayo:

It is pretty twisted that Apple will bend the rules of their own bug bounty program so much for the Thompson family because of the press coverage. Meanwhile, ‘real’ security researchers are upset that Apple won’t even offer a program — of any kind — for macOS.

Previously: Major FaceTime Privacy Bug.

Jeff Johnson:

I could continue to pester Apple Product Security by email, but I don’t feel like it. I shouldn’t have to. I shouldn’t have to do anything except report the bug, which I did. I can accept that a mistake was made when my bug was not credited along with all of the others on October 30. What I cannot accept is that it takes more than 3 months to fix the mistake and simply update a web page on their site.

On a tangentially related note, the scam apps in the App Store that I blogged about previously are still in the App Store today. I also reported these apps to Apple Product Feedback. I’m not sure if that’s where you’re supposed to report App Store scams. Should you email Apple Product Security? Who knows. Why isn’t there a clearly identified place to report App Store scams to Apple?

Update (2019-02-11): Linus Henze:

On Tuesday @Apple contacted me and asked me if I would send them the details about my exploit. I told them that I would if they accept my offer. However, I’ve got no response from them. Today I wrote them again. Attached is an image of what I wrote.

John Gruber:

Why in the world Apple only offers security bounties for iOS is beyond my comprehension. Of course iOS has the most users, but the potential for truly critical bugs exists on all of Apple’s platforms.

qwertyoruiop:

as much as the FaceTime kid deserves the money he got, it’s very sad to see that Apple will only do things under the threat of bad PR. The bounty program has pissed off so many researchers that it seems very tone deaf of Apple to bend rules like that.

I’m not supposed to share details, but at this point I don’t even care about being disqualified from the bounty program. I submitted two sandbox escapes, for a $25k payout each. Additionally I wanted to donate my payout to charity, which made me elegible for a match.

It’s been now 2 years of silence from them, but I did recently hear that supposedly they took my decision to donate to @MAPS as a “joke” and seemingly they’re unwilling to donate to them. I think it’s despicable and the bounty program can die in a fire as far as I’m concerned.

Jeff Johnson:

Yesterday I wrote a blog post about how Apple Product Security has failed to credit me for my previous discovery of another hole in Mojave’s privacy protections. Later that day, Apple updated their support article online. The article now credits me, but unfortunately it credits me for the wrong bug. Perhaps the update was a rush job in response to my blog post, who knows.

Update (2019-02-18): Jeff Johnson:

I finally got proper credit from Apple Product Security for the Mojave privacy protections bypass that was fixed in macOS 10.14.1 back on October 30, 2018.

Update (2019-03-04): Linus Henze:

I’ve decided to submit my keychain exploit to @Apple, even though they did not react, as it is very critical and because the security of macOS users is important to me. I’ve sent them the full details including a patch. For free of course.

Update (2019-06-03): Linus Henze:

Hopefully you all updated your Macs to the latest macOS version, because as promised in my talk at #OBTS, KeySteal is now available on Github.

Please, only use this exploit for educational purposes. Don’t be evil!

6 Comments RSS · Twitter

To Rene Ritchie I say GARBAGE. People do not, and will not work for free for you. Apple should PAY A BOUNTY. And the sooner the better.

I don’t know why clueless “entitled” people like Ritchie even exist. Maybe bughunters should disclose to “other organizations?”

Actually there are people who do this. They work for governments, NGOs and “three letter agencies” and they DO NOT DISCLOSE.

And they get paid. Very well from what I hear.

Would little Ritchie like that better?

> Garbage. Disclose to Apple to help protect users then use the follow up to push for when (not if) the bounty program is launching.

Apple has clearly shown, repeatedly and recently, that disclosing major bugs privately to them DOES NOT WORK and DOES NOT HELP USERS. The only thing that Apple is responsive to is bad PR.

> I don’t know why clueless “entitled” people like Ritchie even exist.

Bob Burrough put it best: "I am not saying this in an insulting way. I mean this with the utmost respect, but to me, you are not a journalist. you are a spokesperson." (https://twitter.com/bob_burrough/status/1080650448946622464)

Rene Ritchie always came off as a nice guy in podcasts and writing. Nothing personal, but, he essentially runs a fansite for Apple users. He's certainly allowed his opinions, but he's often very Apple positive in his views. I respect people for being who they are even if I'm not in agreement with them. I know what to expect from Rene Ritchie, so it's never a guessing game for me. Some people are fakes, that's not Rene. Again, even if I disagree with him on many issues, you know where he stands.

Yet, I will say I disagree with Rene. I do think bugs should be disclosed but Apple can afford to pay for disclosures. Not only should they pay, they should bother to take these bugs seriously.

Leave a Comment