Apple's Beats brand in April unveiled the Powerbeats Pro, a redesigned wire-free version of its popular fitness-oriented Powerbeats earbuds.
Researcher Gives Apple Details of macOS Keychain Security Flaw Despite No Mac Bug Bounty Program
A German teenager who discovered a macOS Keychain security flaw last month has now shared the details with Apple, after having initially refused to hand them over because of the company's lack of a bug bounty program for the Mac.
Eighteen-year-old Linus Henze dubbed the zero-day macOS vulnerability he found "KeySteal," which, as demoed in the video above, can be used to disclose all sensitive data stored in the Keychain app.
Henze said he decided to reveal the details to Apple because the bug "is very critical and because the security of macOS users is important to me."
After Henze released the video in early February, Apple's security team reached out to him, but the researcher said he wouldn't disclose the details without a cash reward, arguing that discovering the vulnerabilities takes time.
"Even if it looks like I'm doing this just for money, this is not my motivation at all in this case," said Henze. "My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers."
Apple has a reward program for iOS that provides money to those who discover bugs, but there is no similar payment system for macOS bugs.
Eighteen-year-old Linus Henze dubbed the zero-day macOS vulnerability he found "KeySteal," which, as demoed in the video above, can be used to disclose all sensitive data stored in the Keychain app.
Henze said he decided to reveal the details to Apple because the bug "is very critical and because the security of macOS users is important to me."
I’ve decided to submit my keychain exploit to @Apple, even though they did not react, as it is very critical and because the security of macOS users is important to me. I’ve sent them the full details including a patch. For free of course.
— Linus Henze (@LinusHenze) February 28, 2019
After Henze released the video in early February, Apple's security team reached out to him, but the researcher said he wouldn't disclose the details without a cash reward, arguing that discovering the vulnerabilities takes time.
"Even if it looks like I'm doing this just for money, this is not my motivation at all in this case," said Henze. "My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers."
Apple has a reward program for iOS that provides money to those who discover bugs, but there is no similar payment system for macOS bugs.
Tags: exploit, Apple security
[ 82 comments ]
Top Rated Comments
(View all)
15 weeks ago
He probably cares about Mac OS as platform, and wants to see bugs fixed.
Thank you, Linus.
Now, Apple, listen to the people, and start bug bounty program.
Thank you, Linus.
Now, Apple, listen to the people, and start bug bounty program.
15 weeks ago
Get a bounty program for Macs. This is not a good look for Apple. There's no reason to have a program for iOS and not MacOS.
15 weeks ago
I can't really imagine a way for blaming him and his behaviour, but I'm sure this forum won't let me disappointed
15 weeks ago
It’s great that Apple values our privacy, but the lack of security makes all that effort pretty much useless. I think we’ve seen more critical security bugs from Apple than from any other major company.
I'm sorry but this is just BS. I used to support Windows environments for a living, what you see on Mac is literally nothing compared to what you see on Windows.
15 weeks ago
Maybe there is too many bugs in MacOS that Tim would lose to much money on the deal...
15 weeks ago
First, thank you Linus for sharing the info with Apple.
I can only think of 2 reasons whey Apple wouldn't have a bounty program for Mac OS security flaws (neither makes Apple look good).
1) Apple doesn't care enough about Mac OS to pay a bounty for finding security flaws or
2) Apple is afraid of what the bounty program would cost.
I really hope there is a different, actual reason they don't have a bounty program but I can't think of what it would be.
I can only think of 2 reasons whey Apple wouldn't have a bounty program for Mac OS security flaws (neither makes Apple look good).
1) Apple doesn't care enough about Mac OS to pay a bounty for finding security flaws or
2) Apple is afraid of what the bounty program would cost.
I really hope there is a different, actual reason they don't have a bounty program but I can't think of what it would be.
15 weeks ago
A Google's Project Zero researcher also found a copy-on-write (COW) ('https://en.wikipedia.org/wiki/Copy-on-write') flaw in the MacOS kernel, that they just released publicly, because it us over 90 days since they notified Apple.
15 weeks ago
Apple doesn't care because Mac OS is the Apple ][ of 2018. Eventually, Apple will just sell IOS devices. They are clearly headed in this direction. :(
15 weeks ago
It’s great that Apple values our privacy, but the lack of security makes all that effort pretty much useless. I think we’ve seen more critical security bugs from Apple than from any other major company.
[ Read All Comments ]
In iOS 13, Apple has extended the system's built-in screenshot feature to include the ability to save a full web page as a multi-page PDF.
Don't expect this option to appear when...
For this week's giveaway, we've teamed up with Twelve South to offer MacRumors readers a chance to win a prize pack that includes a BookBook vol. 2 for iPad Pro, an AirFly, and a set of...
O2 has became the latest network carrier in the United Kingdom to offer the cellular version of the Apple Watch Series 4. iPhone users can now order the LTE-enabled smartwatch through the O2 website,...
Unsolicited phone calls can become a regular annoyance and even a cause of stress for many smartphone users these days. Thankfully, Apple provides a feature in iOS 13 that can automatically silence...
The Iconfactory today announced it has released a significant update to its popular third-party Twitter client Twitterrific for iPhone and iPad. The latest version of the app contains over 50 new...
Apple yesterday released a new update for Safari Technology Preview, the experimental browser Apple first introduced three years ago in March 2016. Apple designed the Safari Technology Preview to...
Amazon and B&H Photo are discounting the latest versions of Apple's iPad Air this week, with each configuration of the tablet receiving a new all-time-low price tag. Amazon offers the largest...
Spotify today announced a new version of the "Your Library" tab in its mobile apps for iOS and Android, which is "designed to get you to the content you want faster." This update is...
