Reseacher Wants Apple To Pay Bug Bounty Before Revealing KeySteal Keychain Bug

Reseacher Wants Apple To Pay Bug Bounty Before Revealing KeySteal Keychain Bug
Image: Getty Images

A teenage German security researcher has found a major bug in macOS that allows an attacker to access data from the Keychain without admin rights. And the fault doesn’t just affect the logged in user – any Keychain, belonging to any user with an account on the machine, could be compromised. The sting in the tail is that the researcher won’t tell Apple how it works until they start a macOS bug bounty program.

Researcher Linus Henze discovered the vulnerability, dubbed KeySteal, and posted a YouTube video demonstrating it. And while he hasn’t released any source code or a proof-of-concept that could be used by malicious actors, he’s holding out on giving the details to Apple.

Although Apple does have bug bounty programs in place for some things, with generous potential payouts, there’s no reward for researchers like Henze as there’s no bounty on macOS bugs.

Apple announced its program at BlackHat 2016 and offers:

  • Secure boot firmware: $200,000
  • Extraction of confidential material protected by the Secure Enclave
  • Execution of arbitrary code w/kernel privs: $50,000
  • Unauthorized access to iCloud account data on Apple Servers: $50,000
  • Access from a sandboxed process to user data outside of that sandbox: $25,000

While this program focusses on some important areas, it has some clear blindspots – like the one Henze discovered.

Henze says he isn’t after the money per se but wants to use the bug he found to motivate Apple to expand their bounty program.
On the back on a 14 year old discovering the embarrassingly bad FaceTime bug, Apple now has the 18 year old Henze putting the company’s security credibility in the spotlight again. Fortunately, there’s no evidence that KeyStream is out in the world but now that that there’s a known issue you can be sure that bad guys are looking into it closely.


  • I’m not impressed that he’s essentially holding them to ransom on this, but at the same time it’s weird that they don’t have a bug bounty for pretty much anything. I’d have thought they’d have a blanket bounty on any OS security bugs.

    • I don’t see how he’s holding Apple at ransom. He’s already informed them there’s a problem and where it is. Apple can now create a bounty program and get quick access to the details, or spend a lot of time and money on their own resources looking for the bug.
      A bounty program will mean more people will start looking for additional bugs (which might be opening a can of worms), resulting in (hopefully) a better and more secure OS.

      • He is holding them to ransom by refusing to give them details of the bug. “Hey I have something you want (the bug details) but I’m not going to give it to you unless you give me what I want (a bounty program)”.

        It’s an interesting ethical argument over whether he’s causing more harm by denying them full details or whether he’s going to create a more beneficial situation in the long run.

        And I thought it was obvious from my first post that I think a bounty program is a good idea. That’s why I said I was surprised they didn’t have one. Creating a bounty program for a big company isn’t going to be a quick fix in this case because it’s likely going to take weeks or months to debate, plan an implement something like that. Which means they’re still going to have to find the bug themselves in the meantime.

Show more comments

Log in to comment on this story!