Linus Henze has informed Apple of all details regarding a bug he discovered in the macOS Keychain security software, and has done so without payment from the company. He previously withheld the information in protest of the company's lack of a Bug Bounty for Mac, but now says the problem is too important to keep to himself.
German teenager Linus Henze has sent Apple full details of a Keychain security exploit that he demonstrated in early February, and has done so despite the company ignoring his previous conditions. Henze says that he has decided to reveal the details to Apple because the bug he's found "is very critical and because the security of macOS users is important to me."
I've decided to submit my keychain exploit to @Apple, even though they did not react, as it is very critical and because the security of macOS users is important to me. I've sent them the full details including a patch. For free of course.
— Linus Henze (@LinusHenze) February 28, 2019
The 18-year-old had discovered a macOS bug that could allow apps to see passwords held in Mojave's Keychain security feature. He developed an app he called KeySteal to demonstrate it, but originally refused to inform Apple. Henze was protesting against the fact that Apple has no Bug Bounty program for macOS the way it does for iOS.
"I'm willing to immediately submit you the full details - including a patch," he said in an email to the company dated Feb. 5. "If an official Apple representative sends me an official (and reasonable!) statement why Apple does not have nor wants to create a Bug Bounty program for macOS."
Apple did reach out to Henze to ask about his discovery, but not to discuss his demands. On Feb. 8, he emailed again, re-stating his conditions, but seemingly got no response.
There have been no reports of the exploit being used by malicious apps but AppleInsider explained that concerned users can make sure they're safe by adding an extra password to the login keychain.
While Apple does have a Bug Bounty program for researchers who find security problems in iOS, even that has been called stingy compared to other firms.
31 Comments
People generally can't be held liable (e.g., through a civil action) for (negligent) omissions which lead to harm suffered by others. But there are exceptions to that general rule.
I don't know all the details of this situation, and he's in Germany so applicable principles might be very different, but I wouldn't rule out the possibility that he could face civil liability if he didn't take reasonable action (e.g. revealing details of the exploit to Apple) to mitigate the risk of harm to others. Again, the general rule would protect him from such liability. But I can think of exceptions which could possibly apply in this case. So it's possible - though I don't mean to suggest likely, I just don't know enough to make such an assessment - that he's now been made aware that he could face civil liability if he doesn't disclose the details of the exploit to Apple and, as a result of Apple not being able to address the problem as quickly, third parties are harmed.
The arrogance of some people who demand explanations.
Bad PR will continue to shape Apple’s decisions.