{"id":24223,"date":"2019-02-07T16:09:57","date_gmt":"2019-02-07T21:09:57","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=24223"},"modified":"2021-07-13T11:52:55","modified_gmt":"2021-07-13T15:52:55","slug":"keysteal-mac-keychain-exploit","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/02\/07\/keysteal-mac-keychain-exploit\/","title":{"rendered":"KeySteal Mac Keychain Exploit"},"content":{"rendered":"

Benjamin Mayo<\/a>:<\/p>\n

\n

Security researcher Linuz Henze has shared a video<\/a> demonstration of what is claimed to be a macOS Mojave<\/a> exploit to access passwords stored in the Keychain. However, he has said he is not sharing his findings with Apple out of protest.<\/p>\n

Henze has publicly shared legitimate iOS vulnerabilities in the past, so he has a track record of credibility.<\/p>\n

However, Henze is frustrated that Apple’s bug bounty program only applies to iOS, not macOS, and has decided not to release more information about his latest Keychain invasion.<\/p>\n<\/blockquote>\n\n

Why doesn’t<\/a> Apple have a bug bounty program for macOS?<\/p>\n\n

Rene Ritchie<\/a>:<\/p>\n

\n

Garbage. Disclose to Apple to help protect users then use the follow up to push for when (not if) the bounty program is launching.<\/p>\n

There absolutely should be one and yesterday but don’t hold users hostage for your entitlement.<\/p>\n

(Especially if you’ve previously dropped 0days…)<\/p>\n<\/blockquote>\n\n

Dave DeLong<\/a>:<\/p>\n

\n

Eh, mixed feelings. Civil disobedience is a well-established form of protest, and @apple tends to gloss over Mac stuff publicly, because it’s minuscule compared to iOS<\/p>\n

And until he releases the exploit, there are no “hostages”. This isn’t blackmail.<\/p>\n<\/blockquote>\n\n

Patrick Wardle<\/a>:<\/p>\n

\n

Got to play with @LinusHenze’s ‘KeySteal’. It’s a lovely bug & exploit<\/p>\n

✅ works on macOS 10.14.3
\n✅ his payload dumps passwords, private keys, & tokens<\/p>\n

Protect yourself by:<\/p>\n

🔐manually locking your keychain
\n🔐or setting a keychain-specific password<\/p>\n<\/blockquote>\n\n

Lorenzo Franceschi-Bicchierai<\/a> (Hacker News<\/a>):<\/p>\n

\n

On Wednesday, after a talk at the Black Hat security conference in Las Vegas, Beer tweeted a message to Apple’s CEO Tim Cook, challenging him to pay for each bug he has reported since 2016, and asking him to donate $2.45 million to to human rights group Amnesty International.<\/p>\n

[…]<\/p>\n

Apple’s bug bounty program had a lackluster start last year. As Motherboard reported at the time, the majority of independent iOS security researchers had not submitted any bugs to Apple as part of the bug bounty, mostly because doing so would hinder future research and was just not worth the trouble, given that those exploits can be sold for much more money in the gray market of exploit brokers.<\/p>\n<\/blockquote>\n\n

Previously: Apple Security<\/a>.<\/p>\n\n

Update (2019-02-08): Benjamin Mayo<\/a>:<\/p>\n

\n

It is pretty twisted that Apple will bend the rules of their own bug bounty program so much for the Thompson family because of the press coverage. Meanwhile, ‘real’ security researchers are upset that Apple won’t even offer a program — of any kind — for macOS.<\/p>\n<\/blockquote>\n\n

Previously: Major FaceTime Privacy Bug<\/a>.<\/p>\n\n

Jeff Johnson<\/a>:<\/p>\n

I could continue to pester Apple Product Security by email, but I don’t feel like it. I shouldn’t have to. I shouldn’t have to do anything except report the bug, which I did. I can accept that a mistake was made when my bug was not credited along with all of the others on October 30. What I cannot accept is that it takes more than 3 months to fix the mistake and simply update a web page on their site.<\/p>

On a tangentially related note, the scam apps in the App Store that I blogged about previously are still in the App Store today. I also reported these apps to Apple Product Feedback. I’m not sure if that’s where you’re supposed to report App Store scams. Should you email Apple Product Security? Who knows. Why isn’t there a clearly identified place to report App Store scams to Apple?<\/p><\/blockquote>\n\n

Update (2019-02-11): Linus Henze<\/a>:<\/p>\n

\n

On Tuesday @Apple contacted me and asked me if I would send them the details about my exploit. I told them that I would if they accept my offer. However, I’ve got no response from them. Today I wrote them again. Attached is an image of what I wrote.<\/p>\n<\/blockquote>\n\n

John Gruber<\/a>:<\/p>\n

\n

Why in the world Apple only offers security bounties for iOS is beyond my comprehension. Of course iOS has the most users, but the potential for truly critical bugs exists on all of Apple’s platforms.<\/p>\n<\/blockquote>\n\n

qwertyoruiop<\/a>:<\/p>\n

\n

as much as the FaceTime kid deserves the money he got, it’s very sad to see that Apple will only do things under the threat of bad PR. The bounty program has pissed off so many researchers that it seems very tone deaf of Apple to bend rules like that.<\/p>\n

I’m not supposed to share details, but at this point I don’t even care about being disqualified from the bounty program. I submitted two sandbox escapes, for a $25k payout each. Additionally I wanted to donate my payout to charity, which made me elegible for a match.<\/p>\n

It’s been now 2 years of silence from them, but I did recently hear that supposedly they took my decision to donate to @MAPS as a “joke” and seemingly they’re unwilling to donate to them. I think it’s despicable and the bounty program can die in a fire as far as I’m concerned.<\/p>\n<\/blockquote>\n\n

Jeff Johnson<\/a>:<\/p>\n

\n

Yesterday I wrote a blog post about how Apple Product Security has failed to credit me for my previous discovery of another hole in Mojave’s privacy protections. Later that day, Apple updated their support article online. The article now credits me, but unfortunately it credits me for the wrong bug. Perhaps the update was a rush job in response to my blog post, who knows.<\/p>\n<\/blockquote>\n\n

Update (2019-02-18): Jeff Johnson<\/a>:<\/p>\n

\n

I finally got proper credit from Apple Product Security for the Mojave privacy protections bypass that was fixed in macOS 10.14.1 back on October 30, 2018.<\/p>\n<\/blockquote>\n\n

Update (2019-03-04): Linus Henze<\/a>:<\/p>\n

\n

I’ve decided to submit my keychain exploit to @Apple, even though they did not react, as it is very critical and because the security of macOS users is important to me. I’ve sent them the full details including a patch. For free of course.<\/p>\n<\/blockquote>\n\n

Update (2019-06-03): Linus Henze<\/a>:<\/p>\n

\n

Hopefully you all updated your Macs to the latest macOS version, because as promised in my talk at #OBTS, KeySteal is now available on Github<\/a>.<\/p>\n

Please, only use this exploit for educational purposes. Don’t be evil!<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"

Benjamin Mayo: Security researcher Linuz Henze has shared a video demonstration of what is claimed to be a macOS Mojave exploit to access passwords stored in the Keychain. However, he has said he is not sharing his findings with Apple out of protest. Henze has publicly shared legitimate iOS vulnerabilities in the past, so he […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2019-02-07T21:09:59Z","apple_news_api_id":"023aa5f2-d2ed-4618-af90-c0430650f31b","apple_news_api_modified_at":"2021-07-13T15:52:59Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAABw==","apple_news_api_share_url":"https:\/\/apple.news\/AAjql8tLtRhivkMBDBlDzGw","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[2098,131,2095,1583,30,1609,355],"class_list":["post-24223","post","type-post","status-publish","format-standard","hentry","category-technology","tag-apple-security-bounty","tag-bug","tag-exploit","tag-keychain","tag-mac","tag-macos-10-14","tag-privacy"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/24223","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=24223"}],"version-history":[{"count":7,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/24223\/revisions"}],"predecessor-version":[{"id":25455,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/24223\/revisions\/25455"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=24223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=24223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=24223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}