Vid The bloke who found a password-spaffing bug in macOS says he won't divulge details on the flaw to Apple until the tech titan agrees to properly compensate vulnerability researchers.
Germany-based freelance bug-hunter Linus Henze says the security weakness can be exploited by malware and other dodgy apps running on a Mac to harvest passwords, private keys, and tokens from the victim's keychain. Ideally, programs shouldn't be able to snatch your Facebook or GitHub login details, for example. Here's a video demonstrating the flaw on the most recent version of macOS:
"In this video, I'll show you a zero-day exploit that allows me to extract all your (local) keychain passwords on macOS Mojave, and lower versions," Henze wrote in the vid description. "Without root or administrator privileges, and without password prompts, of course."
While the vulnerability has been checked and verified by noted Mac security guru Patrick Wardle, after he obtained a copy of Henze's exploit, details of the shortcoming are not publicly known – not even to Apple.
That's because Henze is refusing to release any details on the vulnerability, especially to Cupertino, until Apple agrees to include macOS in the highly secretive invite-only bug bounty program it runs for the more popular iOS mobile platform.
Currently, Apple offers selected security researchers payments for reporting iOS vulnerabilities, but not for Mac operating system bugs. Henze wants to change that, and he's using his latest zero-day finding as leverage.
"I won't release this," he said of his exploit code. "The reason is simple: Apple still has no bug bounty program for macOS, so blame them."
Henze told The Register that he's not doing this out of greed, but rather a desire to see himself and other macOS bug-hunters get the recognition from Apple that they deserve. He thus declined to name a price for the keyring vulnerability.
I won't bother hunting and reporting more Sony zero-days, because all I'd get is a lousy t-shirtREAD MORE
"My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and researchers," he told us.
"I really love Apple products and I want to make them more secure. And the best way to make them more secure would be, in my opinion, if Apple creates a bug bounty program, like other big companies already have."
Henze is not alone in his frustration over lousy bug bounty programs. Just this week, the researcher who discovered a pair of critical flaws in Sony's web applications told The Register that he declined to do further research into its websites because the electronics giant only rewards vulnerability reports with free clothing.
"But at least he got a t-shirt," Henze quipped in reference to our earlier story. "Apple wants to give me nothing."
Apple did not respond to a request for comment. According to their latest quarterly financial figures, Cook & co. banked profits of $222m per day, every day. Chucking some of that money at researchers who save your fans' bacon would, to some, seem a neat investment. But hey ho? ®