{"id":9642,"date":"2019-02-06T22:06:16","date_gmt":"2019-02-07T03:06:16","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=9642"},"modified":"2023-04-10T11:42:51","modified_gmt":"2023-04-10T15:42:51","slug":"macos-mojave-exploit-can-reveal-encryption-keys-passwords","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/macos-mojave-exploit-can-reveal-encryption-keys-passwords\/","title":{"rendered":"macOS Mojave Exploit can reveal encryption keys, passwords"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-the-researcher-who-demonstrated-the-zero-day-exploit-isn-t-giving-up-the-goods-out-of-protest\">The researcher who demonstrated the zero-day exploit isn\u2019t giving up the\ngoods out of protest<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Here\u2019s an interesting exploit from the land of Apple. A new zero-day, demonstrated in a YouTube video by security researcher Linus Henze, makes it possible for an attacker without administrative privileges or root access to <a href=\"https:\/\/www.youtube.com\/watch?v=nYTBZ9iPqsU\">steal all the passwords and encryption keys<\/a> saved in a Mac\u2019s keychain.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">And here\u2019s where it gets interesting. In protest of Apple\u2019s\nlack of a bug bounty program, the researcher who discovered the exploit isn\u2019t\nsharing the details. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, let\u2019s spend a few minutes talking about the KeySteal exploit,\nbug bounty programs and whether it\u2019s fair to extort a company with something\nlike this.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-keysteal-and-keychain\">KeySteal and Keychain<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Keychain is Apple\u2019s built-in key and password manager. It\u2019s\na critical component of macOS, storing all of the system\u2019s passwords,\nencryption keys and digital certificates. Obviously, as we cover all the time,\ncertificate management and key security are of the utmost importance considering\nall the can go wrong when a compromise occurs.<\/p>\n\n\n<span style=\"--tl-form-height-m:861.156px;--tl-form-height-t:899.625px;--tl-form-height-d:899.625px;\" class=\"tl-placeholder-f-type-shortcode_12653 tl-preload-form\"><span><\/span><\/span>\n\n\n<p class=\"wp-block-paragraph\">In 2017, a researcher named Patrick Wardle discovered an\nexploit that he named KeychainStealer, which Apple promptly patched. Henze\u2019s\nexploit, KeySteal, is like the spiritual successor to KeychainStealer, and it\nis still wide open. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In the video below, posted to YouTube, Henze demonstrates\nthe exploit on a 2014 MacBook Pro. <\/p>\n\n\n\n<figure><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/nYTBZ9iPqsU\" allow=\"accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen=\"\" width=\"560\" height=\"315\" frameborder=\"0\"><\/iframe><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">As you can see, it works perfectly. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-to-disclose-or-not-to-disclose\">To disclose, or not to disclose<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Now let\u2019s get to the interesting bit: Henge isn\u2019t disclosing\nthis exploit to Apple. At least not yet. The reason is a Bug Bounty program, or\nmore aptly, a lack thereof.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Bug Bounty programs are good things, they encourage third-party\nsecurity researchers to probe and test various products and report any exploits\nor vulnerabilities they find. It keeps the researchers in business and it keeps\nthe public safer as a lot of these white hats are more talented than the QA and\ndev teams that these organizations field. They also have the benefit of a fresh\nperspective. They haven\u2019t been elbow-deep in the build, which can bias and\nblind you to certain things. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But, as you might reasonably expect, Bug Bounty programs have\nmore than their fair share of problems. While in a perfect world everyone would\nfunction collegially, in reality you see a lot of stuff that would make an\nelementary school playground seem like a model of decorum.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Case in point, earlier this week in an unrelated incident, <a href=\"https:\/\/www.csoonline.com\/article\/3338112\/security\/vendor-allegedly-assaults-security-researcher-who-disclosed-massive-vulnerability.html\">the COO of Atrient physically assaulted a researcher<\/a> that had discovered a critical exploit after trying to quash any news of the vulnerability with a Non-Disclosure Agreement.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That\u2019s pretty standard, companies don\u2019t want publicity about the fact that their WAS\/IS a vulnerability, let alone what it was. After all, nobody likes admitting to a mistake. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Another common tact is for company\u2019s to accuse the researchers of hacking them and attempt to have them arrested. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Obviously, this is no way for a company to behave, but it\u2019s worth\nnoting that a lot of these researchers are also sanctimonious, with\nover-inflated opinions of themselves and a complete lack of an offline social\nlife. So, they\u2019re not entirely sympathetic, either.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In this case, the researcher isn\u2019t disclosing the exploit\nbecause Apple doesn\u2019t even have a bug bounty program for macOS. That\u2019s kind of\nsurprising with a company like Apple. To give you some context, Google has a\nprogram and regularly publishes the payouts with each new update to a given\napplication, service, device, etc. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now, the researcher also isn\u2019t disclosing details about the\nexploit to anyone else, either (aside from the video). He\u2019s not trying to hurt\nApple \u2013 just extort it. And that\u2019s what this is. Whether or not there may be\nsome justification for it doesn\u2019t excuse the fact that he\u2019s essentially trying\nto ransom a zero day to Apple. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cThe reason [for the non-disclosure] is simple: Apple still has no bug bounty program (for macOS),\u201d <a href=\"https:\/\/www.techspot.com\/news\/78625-mojave-has-major-flaw-can-reveal-passwords-encryption.html\">Henge told TechSpot<\/a>. \u201cMaybe this forces Apple to open [one] at some time.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Is that ethical? I\u2019ll leave that up to you. But neither\nparty is behaving well right now. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>As always, leave any comments or questions below\u2026<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"267\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-1024x267.jpg\" alt=\"Hashed Out by The SSL Store is the voice of record in the SSL\/TLS industry.\" class=\"wp-image-7276\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-1024x267.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-300x78.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-768x200.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568.jpg 1559w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>The researcher who demonstrated the zero-day exploit isn\u2019t giving up the goods out of protest Here\u2019s an interesting exploit from the land of Apple. A new zero-day, demonstrated in a&#8230;<\/p>\n","protected":false},"author":6,"featured_media":9644,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[130],"tags":[134],"class_list":["post-9642","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-everything-encryption","tag-apple","post-with-tags"],"views":10186,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/02\/bigstock-221494114.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/9642","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=9642"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/9642\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/9644"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=9642"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=9642"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=9642"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}