The researcher who demonstrated the zero-day exploit isn’t giving up the goods out of protest
Here’s an interesting exploit from the land of Apple. A new zero-day, demonstrated in a YouTube video by security researcher Linus Henze, makes it possible for an attacker without administrative privileges or root access to steal all the passwords and encryption keys saved in a Mac’s keychain.
And here’s where it gets interesting. In protest of Apple’s lack of a bug bounty program, the researcher who discovered the exploit isn’t sharing the details.
So, let’s spend a few minutes talking about the KeySteal exploit, bug bounty programs and whether it’s fair to extort a company with something like this.
Let’s hash it out.
KeySteal and Keychain
Keychain is Apple’s built-in key and password manager. It’s a critical component of macOS, storing all of the system’s passwords, encryption keys and digital certificates. Obviously, as we cover all the time, certificate management and key security are of the utmost importance considering all the can go wrong when a compromise occurs.
In 2017, a researcher named Patrick Wardle discovered an exploit that he named KeychainStealer, which Apple promptly patched. Henze’s exploit, KeySteal, is like the spiritual successor to KeychainStealer, and it is still wide open.
In the video below, posted to YouTube, Henze demonstrates the exploit on a 2014 MacBook Pro.
As you can see, it works perfectly.
To disclose, or not to disclose
Now let’s get to the interesting bit: Henge isn’t disclosing this exploit to Apple. At least not yet. The reason is a Bug Bounty program, or more aptly, a lack thereof.
Bug Bounty programs are good things, they encourage third-party security researchers to probe and test various products and report any exploits or vulnerabilities they find. It keeps the researchers in business and it keeps the public safer as a lot of these white hats are more talented than the QA and dev teams that these organizations field. They also have the benefit of a fresh perspective. They haven’t been elbow-deep in the build, which can bias and blind you to certain things.
But, as you might reasonably expect, Bug Bounty programs have more than their fair share of problems. While in a perfect world everyone would function collegially, in reality you see a lot of stuff that would make an elementary school playground seem like a model of decorum.
Case in point, earlier this week in an unrelated incident, the COO of Atrient physically assaulted a researcher that had discovered a critical exploit after trying to quash any news of the vulnerability with a Non-Disclosure Agreement.
That’s pretty standard, companies don’t want publicity about the fact that their WAS/IS a vulnerability, let alone what it was. After all, nobody likes admitting to a mistake.
Another common tact is for company’s to accuse the researchers of hacking them and attempt to have them arrested.
Obviously, this is no way for a company to behave, but it’s worth noting that a lot of these researchers are also sanctimonious, with over-inflated opinions of themselves and a complete lack of an offline social life. So, they’re not entirely sympathetic, either.
In this case, the researcher isn’t disclosing the exploit because Apple doesn’t even have a bug bounty program for macOS. That’s kind of surprising with a company like Apple. To give you some context, Google has a program and regularly publishes the payouts with each new update to a given application, service, device, etc.
Now, the researcher also isn’t disclosing details about the exploit to anyone else, either (aside from the video). He’s not trying to hurt Apple – just extort it. And that’s what this is. Whether or not there may be some justification for it doesn’t excuse the fact that he’s essentially trying to ransom a zero day to Apple.
“The reason [for the non-disclosure] is simple: Apple still has no bug bounty program (for macOS),” Henge told TechSpot. “Maybe this forces Apple to open [one] at some time.”
Is that ethical? I’ll leave that up to you. But neither party is behaving well right now.
As always, leave any comments or questions below…