After a Germany-based security researcher last month claimed to have identified a macOS security workaround to access passwords and user information stored in Keychain, he says he’s reversed his position on sharing that information with Apple, 9to5Mac reported Wednesday.
Linus Henze shared his apparent findings in a YouTube video shared Feb. 3. But he said at the time that he was not planning to share the exploit with Apple, claiming the decision boiled down to the fact that while the tech giant has a bug bounty program for iOS, it does not for macOS. Henze wrote that he hoped “this forces Apple to open a bug bounty program at some time.” But no cigar.
Henze claims he was contacted by Apple about the security exploit on Feb. 5, at which time he appears to have offered to submit the exploit and a patch if the company would provide an official statement on why it lacks a macOS bounty program, per a screengrab he shared to Twitter. He claims that after receiving no response from the company, he again followed up with the Apple security team with the same offer.
On Tuesday @Apple contacted me and asked me if I would send them the details about my exploit. I told them that I would if they accept my offer. However, I’ve got no response from them. Today I wrote them again. Attached is an image of what I wrote. pic.twitter.com/GcNv8VQISH
— Linus Henze (@LinusHenze) February 8, 2019
On Thursday, Henze tweeted that he submitted the information to Apple “even though they did not react, as it is very critical and because the security of macOS users is important to me.” We’ve reached out to Apple about the apparent exploit and will update if we hear back.
Apple’s bug bounty for iOS has been around for a couple of years now, but even it isn’t perfect. Initially, folks who were interested in the dough found that bugs were worth too much to report directly to the company, Motherboard reported in 2017 (a follow-up report last year indicated that had somewhat changed). Nikias Bassen of Zimperium told the site at the time that researchers could “get more cash if they sell their bugs to others.”
Even still, Keith Hoodlet, a trust and security engineer with cybersecurity platform Bugcrowd, said in 2017 per Wired that Apple “would likely benefit from having a bug bounty program that’s a little bit broader than just iCloud or iOS infrastructure.” And honestly? That doesn’t sound like such a terrible idea.