-
Ever wanted an RSS feed of all your favorite gaming news sites? Go check out our new Gaming Headlines feed! Read more about it here.
-
We have made minor adjustments to how the search bar works on ResetEra. You can read about the changes here.
Teenager discovers exploit in MacOS Keychain; Can dump all passwords; Won't tell Apple because no Bug Bounty program
- Thread starter Syriel
- Start date
C'mon Apple, y'all might as well be burning benjamins at this point, pay the man and all the others
Well now Apple engineer are just going to focus on the Keychain app and will likely find the exploit.
so people should only look bugs if there is a reward? No one asked him to do it.
Apple is dick?
of course it's on Apple. But again no one asked this guy to look for bugs.
But it's a dick move to put it out there and say I'm not gonna tell Apple cause there's no bug bounty.
Apple just can't get their act together on the OS stability front.
0/10
OP
OP
Why?
He's not selling the exploit. Nor is he sharing a public PoC. He simply had it verified by another security researcher.
If he found it, so have others.
He is making the existence of the 0day public so that the public can be aware, and take steps to protect themselves.
Meanwhile, Apple now has constructive knowledge of the issue, and can spend engineering time fixing it.
People can do it for whatever reason they want, but wanting compensation for important work shouldn't be vilified. You're right no one asked him to do it but Apple can ignore him if they want to find it themselves. Their choice.
User Warned: Thread whining
Another hate on Apple for no reason thread
Meanwhile there's millions of exploits on windows probably
Meanwhile there's millions of exploits on windows probably
250 billion in the bank and they can't cut him a check for doing their job for them.
This is how these things in software work. People interested in software poke around. Typically, if something wrong is discovered, a bug bounty incentives sharing that information. That's why so many other companies have them.
It's telling that Apple doesn't have a bug bounty program. For them to not is arrogance, plain and simple. It's that elitism that Apple is known for. This guy is not at all a dick, Apple fully is.
Yea it's interesting seeing so many posters suddenly discovering their inner capitalist lmao.
This would be like me coming to your house and writing a report all the ways I can get in your house then sending you an invoice for my assessment. You didn't ASK me to do it.
Neither did Apple, in this case.
Don't want to work for free? Don't do shit without an agreement in place. This isn't hard.
No, actually there's not. Many of the exploits in windows are from driver or application issues, not OS issues
Poor giant corporation falling victim to the evils of capitalism.
Want to know something someone else knows? Pay then to find out. This isn't hard.
I agree that apple should just give contracts to every coder on the planet. I would personally take that deal. The text of the contract would sound like:
Yo, find some unknown bugs.
Peace, yo boy Tim!
Lmao at calling this guy a dick. People here are so up these companies nuts they can't even see the dick anymore.
He's not forcing them to pay, and he knows that its valuable information they don't have.
If apple can't find it themselves maybe they can rummage around in the sofa and dig out some money for the info.
Difference is I don't have millions of people coming in my house leaving their valuable shit.
This is way clownier than any of the "Apple hate" that's gone on in this thread thus far.
Especially considering:
Apple put themselves in that position and people shouldn't be doing their work for free. The company with billions of dollars can pay the guy for his labor and insights.
The public has a right to know that a kernel they use has security flaws.
Apple sucks at cooperating with the security community when it comes to bugs, not having a bounty for critical macOS bugs is part of that. Just like that Facetime bug, too often they completely ignore the issue when it's reported to them, bounty or not, until there's press coverage. Only then do they make haste and contact those who discovered it.
That culture needs to change for their customers' sakes, because at the end of the day, these exploits are used against their customers.
So yes, Apple is the dick.
It's more like a company sold you a house and you found out that none of the locks work. Meanwhile everyone else's home is just as unsafe because they have the same locks, which criminals can exploit. Meanwhile Apple aren't providing people incentives to report these flaws back to them so that they can be fixed. It's entirely on them.
More like the users whose passwords will get compromised cause some kid is greedy.
But that's OK cause Apple is getting owned!
It's not this kid's responsibility to fix Apple's fuck ups. He did what he is supposed to do for free if he discovers an exploit. Apple is free to fix it themselves or scrap it and start over again. Or they can just pay the kid for his efforts.
>Kid is greedy
>Apple has 250+ billion in the bank but can't spend resources on a bounty program
>A new iOS or macOS exploit seems to pop up weekly
>kid is greedy
More like informing people that they can exploit it before giving Apple can fix it.
Apple released the software with the flaw, the kid just want a buck for doing their job better than them. Corporate apologists are the worst boot lickers; don't even care about labours getting their worth within the capitalist system they support.
If he found it then other people have probably found it. But unlike him putting it out in public they are trying to cause harm. People like him that find critical flaws in software that millions of people use is not the villain in this scenario.
Don't hold an exploit hostage for a payday cause you don't agree with their policy? This ain't hard.
I agree that apple should rethink a bounty program but that to me has fuck all to do with this kid trying to leverage it for a check.
Oh give me a break with the bootlicker bullshit lmao. This isn't about apple. This is about some greedy kid would rather see passwords compromised than not get paid. But I get it. Anything to justify whining about apple lmao.
We have all reported bugs before for software in production. How many of us got a check? FOH.
Don't be a software manufacturer and refuse to participate in basic infosec community protocol? This ain't hard.
You ain't entitled to the fruits of his labor anymore than apple is. He told people the exploit exists, they cam now take the steps necessary to protect themselves.
Seriously. You'd think with so much god damn money, paying people to do shit like this would be just pennies on the dollar to cover their ass easily.
What happens when Apple fanboys and Apple's lack of an industry standard bug bounty collide?
Mostly just lots of ill-informed discussion.
Mostly just lots of ill-informed discussion.
Not really.
I would want to be paid for the job Apple won't do too. And Apple could try paying their taxes while they are at it.
Please go read up on Apple's lack of transparency regarding security. The users are getting owned because Apple has some hard-on for secrecy that doesn't go well with security.