Not holding my breath
“ If someone at Apple would like to comment, you know where to find us.”
A security bod scored a $100,500 bug bounty from Apple after discovering a vulnerability in Safari on macOS that could have been exploited by a malicious website to potentially access victims' logged-in online accounts – and even their webcams. Ryan Pickren, last seen on The Register after scooping $75k from Cupertino's …
"From the article, this sounds more like really bad design rather than a bug."
That's what I getting to. It sounds like this was "OK" to do because, well... it's supposed to have that option. If I had my tin-foil hat with me, I'm sure I could get to the bottom of this trojan like feature.
particularly when messing with code that has such security implications
All code has security implications. The biggest security bugs are usually found in code that would on first glance appear least likely to have security implications. i.e. the bug NSO Group was found to be exploiting last fall which leveraged many individual bugs in a chain but one was found in ancient open source software used to embed fax images in a PDF. Who is going to look at that and think "uh oh I better audit this code or someone will develop a terrifying iPhone exploit!"
If you only look at the code with "such security implications" you will miss the forest for the trees. Not that anyone has successfully managed to secure even the stuff that really needs to be secure - just look at the bugs found in openssl code that had been there for years and years without anyone noticing. You gotta think that was subject to a ton of scrutiny, given how important that is to pretty much every company and every government in the world for something or other, and it was sitting out there in the source where any one of 7+ billion people could have chosen to look at it if they wished.
That's nice work. Hacking is a bit like chess - you've got a starting position, and then you exhaustively search all your moves from that point. And there are some truly random moves in here, I definitely wouldn't have thought of zeroing out a file to keep its metadata and replacing with a web-archive (clearly neither did Apple).
Lots of grumblers above - I must be writing this comment in the presence of people that write complex systems and still never get anything wrong. Had I known I would have worn a nicer shirt.
If people releasing large scale software with lots of developers involved think their team and process are so good that the product has no vulnerabilities, that just means the people finding them are keeping it quiet. This is a pretty great example of a bug bounty doing exactly what it is supposed to.
You're right. But then again, this is also yet another instance of stricter security being bypassed for convenience for certain privileged services, in this case Apple's cloud storage which is quite clearly bypassing ACL security which should not allow the remote user to change the executable status of any files on my system. This used to be called download poisoning and is one of the reasons for sandboxing all file transfers.
Apple don't have a perfect track record of payouts either. In all these programmes most researchers ultimately end up at the mercy of the big company's charity and it'll remain that way until the industry sets up some kind of genuinely independent dispute resolution process. Which they have little incentive to do because headlines involving $100k feel good stories make bigger waves than bitter he-said she-said tales of individual and corporate grubbiness.