A teenage German security researcher has found a major bug in macOS that allows an attacker to access data from the Keychain without admin rights. And the fault doesn't just affect the logged in user - any Keychain, belonging to any user with an account on the machine, could be compromised. The sting in the tail is that the researcher won't tell Apple how it works until they start a macOS bug bounty program.
Researcher Linus Henze discovered the vulnerability, dubbed KeySteal, and posted a YouTube video demonstrating it. And while he hasn't released any source code or a proof-of-concept that could be used by malicious actors, he's holding out on giving the details to Apple.
Although Apple does have bug bounty programs in place for some things, with generous potential payouts, there's no reward for researchers like Henze as there's no bounty on macOS bugs.
Apple announced its program at BlackHat 2016 and offers:
- Secure boot firmware: $200,000
- Extraction of confidential material protected by the Secure Enclave
- Execution of arbitrary code w/kernel privs: $50,000
- Unauthorized access to iCloud account data on Apple Servers: $50,000
- Access from a sandboxed process to user data outside of that sandbox: $25,000
While this program focusses on some important areas, it has some clear blindspots - like the one Henze discovered.
Henze says he isn't after the money per se but wants to use the bug he found to motivate Apple to expand their bounty program. On the back on a 14 year old discovering the embarrassingly bad FaceTime bug, Apple now has the 18 year old Henze putting the company's security credibility in the spotlight again. Fortunately, there's no evidence that KeyStream is out in the world but now that that there's a known issue you can be sure that bad guys are looking into it closely.