back to article At least Sony offered a t-shirt, says macOS flaw finder: Bug bounties now for Macs if you want this 0-day, Apple

The bloke who found a password-spaffing bug in macOS says he won't divulge details on the flaw to Apple until the tech titan agrees to properly compensate vulnerability researchers. Germany-based freelance bug-hunter Linus Henze says the security weakness can be exploited by malware and other dodgy apps running on a Mac to …

  1. Edward Clarke
    Mushroom

    If they won't pay then you can always donate it to the government

    of North Korea.

    DPRK Embassy

    Glinkastraße 5-7, 10117 Berlin, Germany

    1. johnfbw

      Re: If they won't pay then you can always donate it to the government

      So the North Korean government runs a youth hostel?

    2. johnfbw

      Re: If they won't pay then you can always donate it to the government

      The London embassy is in suburbia

      https://www.google.com/maps/@51.5032935,-0.2886421,3a,15y,252.06h,88.95t/data=!3m6!1e1!3m4!1s9Jz6MkFCehhmyjbfjFyV6g!2e0!7i16384!8i8192

  2. redpawn Silver badge

    But

    macOS is so secure you don't even need....

    1. chivo243 Silver badge

      Re: But

      I have to wonder if this is a real issue. I watched the vid yesterday *elsewhere* and his key chain is already unlocked. Seems a little sketchy to me...

      1. Anonymous Coward
        Anonymous Coward

        Re: But

        Well seeing as the software is locally installed, if you get malware installed on your device then your security is already compromised. Even without hitting keychain, surely it could just key log passwords anyway?

        Granted this gives you a smaller time window and you grab all the passwords in one hit.

    2. Ian Joyner

      Re: But

      "macOS is so secure you don't even need...."

      For people who make idiotic snide straw man comments like this, security is not black and white but a spectrum. For many technical reasons, MacOS is more secure than others like Windows and Linux. Any Unix is less secure than Burroughs/Unisys MCP (which has bounds checking in the architecture). While these machines are even more secure, vulnerabilities are always there, but less of them and harder to exploit.

      That is all you can do for security. But you don't ignore it because you can't be 100% secure.

  3. Anonymous Coward
    Anonymous Coward

    It Doesn't Matter...

    Because look how shiny my Apple device is! Look! It's soooo shiny! Loot at it! Shiny! Shiny! Shiny!

    1. Ian Joyner

      Re: It Doesn't Matter...

      "Because look how shiny my Apple device is! Look! It's soooo shiny! Loot at it! Shiny! Shiny! Shiny!"

      No. Macintosh users are more serious than that. As Steve Jobs once said "Interface design is less about the way it looks, but the way it works".

      For people who make idiotic snide straw man comments like this, security is not black and white but a spectrum. For many technical reasons, MacOS is more secure than others like Windows and Linux. Any Unix is less secure than Burroughs/Unisys MCP (which has bounds checking in the architecture). While these machines are even more secure, vulnerabilities are always there, but less of them and harder to exploit.

      That is all you can do for security. But you don't ignore it because you can't be 100% secure.

  4. Potemkine! Silver badge

    Will Apple try to sue him for blackmail? Anything is possible in this fantastic world.

    1. Wellyboot Silver badge

      That'll be why he hasn't mentioned any value for bug finding. As soon as any price is mentioned the blackmail lawyers can get to work, currently he could argue in court that a 'thank you' would be recompense.

      Illegal > Blackmailer - "Give me 'X' or else I'll ..."

      Legal > Lawyer - "Give my client 'X' or we'll drag you through the courts"

      1. NightFox

        @Wellyboot: Illegal > Blackmailer - "Give me 'X' or else I'll ..."

        But surely he's not saying he will do anything at all, he's only saying he won't do something specific that he's under no legal obligation to do in the first place.

        All he's saying is "I have some information that I'm willing to sell you for 'X'" which is just the standard business model of any consultancy.

    2. DougS Silver badge

      In a way it is blackmail

      Maybe he's being truthful when he says he's doing it to point out a shortcoming in Apple's bug bounty program, maybe not, we don't know. But let's say they pay him. What stops the next guy from saying he's holding back telling them because he thinks they aren't paying enough, and wants a guarantee he will get a certain amount of money? What if he wants more than their highest payout, because he thinks that's inadequate for the bug he found?

      At what point does it go from 'changing corporate behavior you think falls short of an ideal' and become blackmail?

      1. Anonymous Coward
        Anonymous Coward

        Re: In a way it is blackmail

        'But let's say they pay him. What stops the next guy from saying he's holding back telling them because he thinks they aren't paying enough, and wants a guarantee he will get a certain amount of money? What if he wants more than their highest payout, because he thinks that's inadequate for the bug he found?

        At what point does it go from 'changing corporate behavior you think falls short of an ideal' and become blackmail?'

        At no point. None of what you have described is blackmail. No body is obliged to buy or sell anything. No one in your scenario has threatened anything, not vaguely or specifically. No criteria for blackmail has been met.

      2. Matthew 3

        Re: In a way it is blackmail

        It becomes blackmail when there's a threat involved.

        Failing to disclose information that would benefit somebody else is not blackmail.

        Saying "I'll release an exploit unless you pay me!" would be an example of where the line is crossed.

        1. DougS Silver badge

          Re: In a way it is blackmail

          I guess I assumed that he was going to release the exploit, but if all he's going to do is not tell Apple then why should they care? The only difference it makes is that it gives blackhats a place to look for a bug, but it also gives Apple a place to look for it...the race is on!

  5. Dan 55 Silver badge

    Yet more proof

    Macs are an afterthought down at Cupertino.

  6. chivo243 Silver badge

    Good for him

    Stick it to Apple... if possible?

  7. Benchops
    Joke

    "Apple did not respond to a request for comment"

    to El Reg? How unlike them.

  8. Anonymous Coward
    Anonymous Coward

    I need some clarity here.

    Is he asking for money, recognition or both?

    If it's money, I have bad news for him - even if you don't set a price on it I think you have already passed the point of probity, and if you want to know how that works I only have to highlight the FaceTime bug which has emerged as been known for a LOT longer than when it got acknowledged publicly (btw, still waiting for a fix on that although I have just seen something show up in iOS betas).

    There's also the fact that it's now out there that it is possible, so it's not going to take that long for someone else to work it out - thus, even the limited disclosure for publicity (read: pressure) reasons is causing harm.

    That said, I can see where he's coming from and frankly, I'm a bit disappointed with Apple having not much of a program in this respect. Microsoft has it because it sorely needs it (that said, they don't pay for all fixes either - one of the rather major Outlook password bugs just got fixed quietly without the people who discovered it being paid a penny).

    Must do better - all of them.

  9. Mr Humbug

    Well if Apple won't pay ...

    He could take it to Zerodium. It pays up to $50,000 for a MacOS local privilege escalation or sandbox escape apparently. (whihc seems rather low - the equivalent for Windows is up to $80,000)

    1. DougS Silver badge

      Re: Well if Apple won't pay ...

      Given that there are over an order of magnitude more Windows boxes in use, the Windows flaw has a lot more potential targets for the bad guys. Couple that with the fact that Windows has an even larger installed base advantage in the corporate world (where such a flaw would be more easily monetized by the bad guys) and you'd think that if macOS was $50K the equivalent for Windows would be $1 million...

      1. DCFusor Silver badge

        Re: Well if Apple won't pay ...

        YeahBut. In orgs that have both, they keep all the mission-critical artsy-fartsy stuff they use to pitch for bucks on the apple stuff...Because the people they underpay to make up that faff can't run anything more difficult in order to make pie and hockey stick charts. Or kids leaping through the air while apparently having some sort of climax experience. We all know that's where the real money is.

        Do I need a sarc tag?

  10. Richard 1

    Sell to the highest bidder.

    If someone finds a flaw in software/OS/website/etc. then would it be illegal to sell that flaw to the highest bidder? What law would be breaking, if any?

    If my assumption above is correct then it makes absolute sense to reward researchers for finding flaws and reporting them although they would have to be careful not to get into a bidding war with more nefarious buyers?

    1. IneptAdept

      Re: Sell to the highest bidder.

      Selling the details of a issue is not illegal

      Writing software to take advantage could be, but not in Germany I dont think

  11. trevorde

    Market share

    when you only have 10% of the desktop market, and falling, why should you care?

    1. Rajesh Kanungo

      Re: Market share

      The MacBook share and numbers are growing in a shrinking overall PC market.

  12. Stretchoman

    Apple don't want to give recognition

    For them to do that, they have to point out that they did something wrong. They can't pull back that curtain to their fans.

    1. Spazturtle Silver badge

      Re: Apple don't want to give recognition

      What are you talking about? Apple have a public page detailing security updates and they give credit to who reported the vulnerability. Here is a recent example: https://support.apple.com/en-gb/HT209521

  13. Anonymous Coward
    Anonymous Coward

    Whingeing sponger ?

    Unless a vendor has specifically set up a bug bounty program then why should they pay him? They didn’t ask him to waste his time doing ‘research’, maybe he go and get a proper job ?

  14. Charlie Clark Silver badge

    He's obliged to provide the details

    I think both DMCA and German law will oblige him to provide the details of the exploit to the authorities at least. A few years ago "hacking" and not just "cracking" became a crime in Germany.

    1. DCFusor Silver badge

      Re: He's obliged to provide the details

      I used to want to visit the EU and Germany specifically. But it looks to have gone all totalitarian again, so I'm probably better off in one of the ignored parts of the US now.

    2. eldakka Silver badge

      Re: He's obliged to provide the details

      A few years ago "hacking" and not just "cracking" became a crime in Germany.

      Are you equating with him finding the exploit to hacking?

      This is not a remote website hack, or an attack against a 3rd party service. He played around with his own personal property and discovered the flaw. Therefore no 'hacking' - from a legal sense - has taken place, as it was all against his own property.

      1. Charlie Clark Silver badge

        Re: He's obliged to provide the details

        Are you equating with him finding the exploit to hacking?

        Not me, the law is very broad scope. It has, for example, been argued that developing and using penetration test libraries is illegal so you now (I've seen such requests) need to obtain explicit permission from suppliers in order to test your own systems that they've developed or host. At the same time, it's legal to use software that cracks DeCSS so that you can make copies of your own DVDs…

        In the current case I think it was unwise of the guy to go public like this because the authorities will have to act. If then refuses to provide details of the exploit, he could very well incriminate himself as the result of a publicity stunt. But, IANAL.

  15. Anonymous Coward
    Anonymous Coward

    just sell it

    If they don't offer a bug bounty, then they don't - just sell it.

    enough with the stupid drama.

    1. ThomH Silver badge

      Re: just sell it

      I think there's quite an ethical leap between using a bug you found to shame a company that (significantly) lags the others in its inducements for bug reports, and seeking to profit from knowledge of a bug by other means.

      Assuming he hasn't tried to sell it by any other means, good for him.

    2. Rajesh Kanungo

      Re: just sell it

      As someone else pointed out, it is an ethics issue. Also, once you cross over you are tainted for ever.

  16. Rajesh Kanungo

    Bug bounties pay almost nothing on an average ...

    Seems like it is vary hard making a living off finding bugs. Given that fixing a regular bug in the field costs $100K or more, the payments are measly.

    https://blog.trailofbits.com/2019/01/14/on-bounties-and-boffins/

  17. The C Man

    Be honest!!!

    Let's be totally honest here. If a bounty is offered it means Apple will be admitting it's possible that bugs exist. Apple's sales teams used to deny the possibility of anything being hacked or for a virus to exist on an Apple product. If a reward was offered it might cause more experts to look for them. More experts looking could cause more to be found and there goes the illusion of total security.

  18. Thunderpants

    I guess all Apple has to do is include macOS in the bug bounty process and he can then submit the details through that program subject to its existing terms and conditions?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019