They are Apple after all. Researcher Declines to Share Zero-Day macOS Keychain Exploit with Apple.
So this guy found a zero-day in the current version of Apple’s password manager. And he built a proof-of-concept. (You can see it demoed in a 1.5 minute video if you click the link above.) But he won’t share it with Apple because they don’t have a bug-bounty program. Because Apple is different from the rest of the tech companies in the world. Or something. (They are certainly more arrogant than your average tech company, and THAT is saying something.)
The vulnerability found by Henze in Apple’s macOS operating system last week is present “in the keychain’s access control” and it could allow a potential attacker to steal Keychain passwords from any local user account on the Mac, without the need of admin privileges nor the keychain master password.
This isn’t the first time Apple has built an encrypted system for which the cryptography was substandard. The original version of Messenger was supposed to be secure, but the encryption – developed by Apple, not industry standard – was substandard. (The rewrote it using an open-source encryption.)
As for the security researcher, Linus Henze…
Please note that even if it looks like I’m doing this just for the money, this is not my motivation at all in this case. My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers. I really love Apple products and I want to make them more secure. And the best way to make them more secure would be, in my opinion, if Apple creates a bug bounty program (like other big companies already have)
If he was just in it for the money, I’m sure that Zerodium would have been willing to pay him big bucks before his disclosure. (They will pay as much as $2 million for a zero day.)
But Apple expects you to spend weeks or months researching problems with their code, and then you should just hand over your findings to them free of charge. Because Apple.
He hasn’t given anything away, but now that people know about the existence of the zero-day, it is only a matter of time before the exploit is discovered by someone less ethical, and put to nefarious use.