Recent publications
Home » Breaking News » Users warned Apple about a serious security issue in macOS High Sierra

Users warned Apple about a serious security issue in macOS High Sierra

Dave SmartierDec 3, 20173 7643 votes +3 rating

A bug bounty wouldn’t have helped Apple spot the macOS root flaw, but Apple should consider a bug bounty or better vulnerability reporting anyway. Earlier this week, Turkish developer Lemi Orhan Ergin tweeted about a serious flaw in macOS High Sierra, that let anyone access your computer by logging in with root and no password. Apple issued a patch the next day.

Responsible disclosure advocates immediately piled on Ergin, calling his tweet “idiotic”, “a little foolish” and “completely irresponsible”. Responsible disclosure is the idea that if you spot a vulnerability, you should alert the company first and give it enough time to bash together a patch before going public.

© Article’s author: Nicole Kobie.
© Source: Wired UK

But Apple has an invite-only bug bounty program for iOSDespite the Twitter abuse, Apple was apparently warned about the flaw before Ergin tweeted it out. In a Medium post, Ergin claimed that the issue was spotted by staff at the company he works for – and they did disclose it to Apple before taking it public. “Wired UK” asked Apple for confirmation of the disclosure, but the company hadn’t responded at the time of publication.

“A week ago the infrastructure staff at the company I work for stumbled on the issue while trying to help one of my colleagues recover access to his local admin account,” he wrote. “The staff noticed the issue and used the flaw to recover my colleague’s account.”

Ergin explained that his colleagues reported the flaw to Apple on November 23 and noticed that it had been discussed in the Apple Developer Forum as far back as November 13. “It seemed like the issue had been revealed, but Apple had not noticed yet.”

Ergin didn’t tweet about the flaw until five days later, on November 28. Regardless of whether five days is enough to qualify as responsible disclosure, Ergin’s intent in tweeting was well intended. “The issue was very serious. It has already been mentioned in forums and revealed publicly few weeks ago,” he wrote on Medium. “I have no intention to harm Apple and Apple users. By posting the tweet, I just wanted to warn Apple and say ‘there is a serious security issue in High Sierra, be aware of it and fix it’.”

Following the public attention, Apple immediately issued advice on a workaround, and had a patch ready the next day. While that’s good news for macOS users, it’s raised the question of whether Apple could do more to encourage security researchers to watch out for issues on the Mac operating system.

Responsible disclosure is encouraged by so-called bug-bounty programs, when companies pay security researchers for reporting such flaws. They’re popular across the tech world and in 2016 alone Google paid out $3 million. Facebook, Tesla, Microsoft and Uber all have similar programs. Even non-tech companies are using them: Bugcrowd’s State of Bug Bounty report revealed enterprise adoption of such programs was up 300 per cent last year.

Google’s bug bounty program pays out $3 million, mostly for Android and Chrome exploits:

If you’re willing to hunt for flaws within its vast array of software and services, Google’s happy to pay up. Over the course of its 2016 Vulnerability Rewards Program, the company paid out $3 million–a third of the total $9 million that enthusiastic researchers have earned since the initiative, more colloquially known as a bug bounty program, launched in 2010.

The latest round of bug bounties yielded 1,000 individual rewards to 350 participants, with the largest single reward totaling $100,000. Last March, Google doubled the bounty for a Chromebook hack from $50,000 to $100,000, after no one managed to pull one off.

Among 2016’s bug bounty exploits:

Google awarded $3,134 to researcher Tomasz Bojarski for an XSS vulnerability identified on its events site (events.google.com). Bojarski has been hunts for Google exploits from a small town in Poland for the last three years and he claims to do it for the “sheer enjoyment.” Maybe also for the glory, because he’s killing it on Google’s bug bounty leaderboards.

A “bug chain bonus” of $5,000 and another $7,500 for a jаvascript exploit targeting the Google account recovery page.

A Chrome OS vulnerability involving a one byte DNS library overflow, detailed at the Project Zero blog. Sounds like someone finally cashed in on Google’s Chromebook call to action.

But while Apple has an invite-only bug bounty programme for iOS, it doesn’t pay out for flaws found with macOS. Critics suggest that means researchers are less likely to dig about in macOS code looking for flaws. “Bug bounty programs help further incentivise hackers to spend more time looking for bugs,” says Alex Rice, co-founder and CTO of HackerOne. “Bounties can help attract more attention from a broader audience, meaning you’ll have more people testing the security of your software.”

Keith Hoodlet, Bugcrowd’s trust and security engineer, agrees. “I think (Apple) would likely benefit from having a bug bounty program that’s a little bit broader than just iCloud or iOS infrastructure,” Hoodlet says. “Large companies usually see a lot of savings from having a bug bounty programme, and that’s usually a time-cost savings.”

On the other hand, the high value of Apple flaws may make them a special case – a report by Motherboard last year suggested researchers are much more likely to sell iOS vulnerabilities to the highest bidder as they’re too valuable to hand over to Apple.

Apple is certainly wealthy enough to pay for flaws, so why doesn’t it?

“Apple has had a history of somewhat closed doors when it comes to dealing with or responding to vulnerabilities that have been reported to against their systems,” Hoodlet says. “Historically speaking, Apple does not credit researchers for their findings when it comes to vulnerabilities being fixed, so to that end it may just be a company culture.”

Rice notes that not having a bug bounty doesn’t mean Apple is weak on security, saying such programs are “by no means a silver bullet” for security. “Vulnerabilities are always inevitable and Apple should be applauded for their exceptional security response – the issue was fully resolved in a matter of days,” he adds.

Even without a bug-bounty program, Apple does take flaw reports over email, and Rice says it’s more important to have such a vulnerability disclosure program than it is to pay for reports. “This tells the world, ‘If you know of a vulnerability we’d like you to share it with us so we can fix it,” Rice says. “It’s providing a safe and secure channel for friendly hackers to disclose what they find and ensuring they won’t face a response from a lawyer or law enforcement.”

If you do spot a bug, Apple’s vulnerability disclosure details are here.

Reportagent confirmed this security flaw exists on macOS High Sierra 10.13.0.

3
0
0comments Add comment
Write a review
Your comment will be first!
Information
To add a comment to this publication, you need to register or Log In.

Read related articles

Devices / Gadgets
4 518 3
Shopping: iPhone X, Pixel 2 or Galaxy S8 - how each phone differs from one another

iOS or Android? If you’re shopping for a new smartphone, there’s a good chance three options come to mind: Apple iPhone X, Samsung Galaxy S8, Google Pixel 2.

Devices / Gadgets
4 737 4
Best cutting-edge products: the 10 most popular Gadgets of 2017

Technology companies like Microsoft, Samsung, Apple are constantly finding new ways to improve their cutting-edge products. There are several big changes in 2017.

Devices / Gadgets
3 794 3
Apple admits: iPhone 6 started running slowly, and the battery drained quickly

What did Apple say about this? What happens to iPhone batteries when they get older? Is this the first time Apple has tweaked its software to boost battery life?

Devices / Gadgets
1 237 5 12
What’s new in Apple iOS 13: major updates to the apps, Dark Mode, all-new Photos tab

Apple officially released iOS 13, the update will be available to all users gradually. iOS 13 is compatible with iPhone SE, iPhone 6s and later, seventh generation iPod...

Breaking News
4 784 3
Retail renaissance: Big Shopping Trends in 2018 - the signs are promising

2017 was the year of the retail apocalypse. Tech transformation. Retail is a people business. Predictions: pot, politics and Bitcoin. New business models will emerge.

Medicine / Health
1 215 5
Social media as a tool of mass impact: just remember 2016 US presidential election

Social media marketing and sales. How banks monitor customer social networks. Social networks have become platforms for spreading disinformation, fake news and targeted...

Devices / Gadgets
3 943 4
13 Cool Tech Gifts you must have and don’t have to spend a fortune on them

We have some real deals for less than $50. If you’re a generous type and have a big family or lot of friends, the holidays can be a financially taxing time.

Breaking News
4 615 1
Final reform: U.S. Senate passed the biggest in history Tax Cut and Reform Bill

The Senate has passed Tax Reform to boost economy, help grow small business, and give our nation more energy independence. Americans have chosen jobs and wealth!

With “Users warned Apple about a serious security issue in macOS High Sierra” also read
Breaking News Welfare reform: 6 million open jobs - the challenge is to get people back to work
4 175 3
Opinion: why the American welfare state is unsustainable? Nationwide spending on the program is $70 billion annually, 20% of which is wasted on junk food and sugary drinks.
Devices / Gadgets Tips: How to Improve your iPhone Battery Life and Performance
4 062 5
The revelation would appear to lend weight to a popular conspiracy, though the tech giant says it throttles performance on the mobile phones as a precautionary measure.
Technology Home Security System: Honeywell Lyric is now certified for use with Apple HomeKit
5 090 4
Smart Home Technology has made consumers more reliant on mobile devices to manage their homes. The home security system can be purchased on Amazon in the US.
Devices / Gadgets Extended review: iPhone 11 Pro really looks like the next generation of the device
1 360 2 12
iPhone 11 Pro replaces iPhone XS. And it really looks like the next generation of the device: a new display, body, camera, noticeable improvement in energy efficiency and fast charging in the kit.
Breaking News Finance in 2018: tax cut, higher tax bill, nothing major is changing for Medicare
3 870 3
Inflation adjustments, you may have a tax cut, much higher tax bill. There is a lot about health care that could change next year. Social Security payments will increase.
Devices / Gadgets Innovative Apple Watch Series 5: new ultra-low-power LTPO display, Compass, Always On feature
1 332 4 6
The new watch design hasn’t changed much: it still has the same large display. The company introduced new gadget made of titanium and ceramics. We found only two differences in the case.
Devices / Gadgets Review: Redmi Note 8 Pro - 6.5” screen, 6 GB of RAM and 4 cameras. The best smartphone in the segment?
1 599 2 6
The budget brand Redmi makes inexpensive hit phones at a bullet speed. The new Redmi Note 8 Pro will win the thrifty users who want everything, immediately and cheap. Read more in our extended review.
Benefits for your publications on our website
In the air: recent comments
2019-10-30, 3:02PM
I never wrote reviews, but now I really wanted to do it. I bought these headphones, I really like it so far. Noise reduction is really good, compared to the previous model, the sound is completely...Apple announces new AirPods Pro best-selling headphones with Active Noise Cancellation
2019-10-30, 2:39PM
The biggest drawback that I found for myself in the AirPods is the lack of multi-connection. The $160 headphone does not have the multiconnect that even Chinese QCY ($15) has. First, they connect to...Apple announces new AirPods Pro best-selling headphones with Active Noise Cancellation
2019-10-20, 7:22AM
The Google Pixel 4 facial recognition works even if you're asleep / dead. That seems problematic! The feature was reported by BBC News - their reporter Chris Fox clearly demonstrated blind...New Google Pixel 4 and Pixel 4 XL: it’s time to find out about the smartphones’ cost
2019-10-16, 12:22PM
Although I love the new design, hardware and features on the Apple Watch series 5... but since you keep saying there is no watch that comes even closer, I wanted to check on a few things. I have the...Innovative Apple Watch Series 5: new ultra-low-power LTPO display, Compass, Always On feature
2019-10-16, 11:41AM
Super pleased with my Apple Watch 4, but I will say it's very much directed towards fitness. I think we often forget that when smart watches first came out, there wasn't a general consensus...Innovative Apple Watch Series 5: new ultra-low-power LTPO display, Compass, Always On feature
2019-10-16, 11:37AM
Great review, I too have had many fitness watches over the years but once Watch was released that's all I have had everyday since Series 1. To putt it that's the only one I haven't...Innovative Apple Watch Series 5: new ultra-low-power LTPO display, Compass, Always On feature
Top comments
2019-09-24, 1:02PM
It is clear that if something is not in the iPhone, then this is not necessary, because Apple employees have already thought and decided for us. Of course, if tomorrow in iOS a full-screen incoming...These technologies and competitor features are still not available on the iPhone
2019-10-9, 7:30AM
If the number of "exotic features" on high-end phones guaranteed sales supremacy, Samsung would long ago have triumphed over Apple. Why in the world would stupid Korean consumers pay for...Extended review: iPhone 11 Pro really looks like the next generation of the device
2019-10-10, 6:40AM
Google has designed a 5G smartphone that will be released before Apple does. Google hopes to capture the smartphone market, or rather, its segment, which is now significantly influenced by Apple....New Google Pixel 4 and Pixel 4 XL: it’s time to find out about the smartphones’ cost
2019-10-8, 11:14AM
On the end of every Sony review, there is some kind of "this is a great phone to get, but there is Samsung...". Who cares if sammy phones are cheaper? Xperia lasts longer and it is better...Sony Xperia 5 review: compact version of Xperia 1, OLED HDR display and triple camera
2019-09-26, 10:50AM
For some reason, I didn't notice my friend updating most of the built-in applications when he had a Samsung Galaxy Note, services like Google Keep and Google Photo are updated, which on the...What’s new in Apple iOS 13: major updates to the apps, Dark Mode, all-new Photos tab
2019-10-3, 7:36AM
I would have gave it a pass if it had a non-foldable display. Seriously the tech behind these non-foldable displays is so bad and it has too many issues/breaking points. And tbh what would be the...Microsoft introduced the Surface Neo dual-screen device with a new Windows 10X
Most commented publications
Top publications
The most read of the month
Popular news topics
5G Android Apple beds device finance gadget gadgets Google Pixel 4 iPhone iPhone 11 iPhone 11 review mobile opinion politics reforms retail security shopping smart speaker smartphone tax reform taxes tech news technology