How funny to find hackers trying to avoid paying journalists for their work on a story about a company that's trying to avoid paying hackers for their work.
I haven't read the article, because fuck paywalls. But given the stories from hackers that drip here and there, I have got a feeling they are setting forth conditions that are too crazy to be even taken seriously, compared to competitors.
It could be that 0-days are easier just to sell to black market and not bother with Apple's ridiculousness and red tape.
A lot of CVE disclosures I've read involving Apple typically go cold-case for a few months after disclosure. The person responsible for the old Thunderbolt memory access hack (Thunderspy) didn't even hear back from Apple upon disclosing their findings, so I think it's safe to say that they're either understaffed or not interested in fixing your critical security vulnerability
Wow. "Apple’s bug bounty program offers $100,000 for attacks that gain “unauthorized access to sensitive data.” Apple defines sensitive data as access to contacts, mail, messages, notes, photos or location data."
But a hack that allows arbitrary, malicious applications to be installed doesn't count; even though it could send any user files on the computer (so any data that is not encrypted by its consuming application). That seems...a bit of a logical leap. I mean, yes, it can't let you access iCloud photos, but a random JPG on your computer is totally fair game, so even with their list, it feels like it should be included (let alone the excel file with revenue figures that are going to be broadcast at the next quarterly result meeting with shareholders, or the HR docs containing PII, or...)
A malicious application on macOS doesn’t automatically get access to the user’s sensitive data (contacts, photos, documents, etc). When an application tries to access those things the user normally gets a prompt from the OS to authorize such access. Verified bugs that allow circumvention of this prompt are what Apple is paying for.
From the article - "Owens created a hypothetical attack that gave hackers access to the victim’s files. He said in an interview that it could have hypothetically allowed hackers to access corporate servers, if the target computer were used by a corporation."
Perhaps Owens is lying. Perhaps this is misleading reporting, or otherwise occluding something. But on the surface of it, it sounds like no user intervention required.
Yeah so if he did as he claimed then he achieved the bypass Apple claims to be paying for. Now if Apple is lying and refusing to honour their bug bounty, that is another matter.
My point is that just because you can get the user to execute your malicious executable under their user account does not grant you access to all their files, unlike what you would expect with traditional Unix permissions.
Your point is taken, but also irrelevant to the specifics laid out in the article. I appreciate that "normally" the user may have to allow access to files and things (I'm not sure I've ever experienced that on a Mac before when installing applications; I installed Sublime and could open and edit files without any user dialogs, but maybe I disabled something, or working through the UI behaves differently or whatever), but the whole point being made is what the hacker says in the article would indicate it should have claimed the bounty.
Internal at Apple Ivan took over the team and then gotrid of all MSRC managers and half employees before rewards program launched. Team drove into ground after and churn through manager after manager, everyone leave
Yep, this lines up with my experience. I've been trying to work with Apple on a critical security vulnerability for over a year now that affects over 100 million systems. When I'd ask the payout ranges at the beginning, I've had multiple people just block me as a contact and Apple themselves refuse to answer. Apple has a strict stance of submitting all of the research up front with no expectations as far as payment. Today, I've been ghosted by Apple, no reply to multiple emails. The last message I have is them saying they're fixing it. I chose the ethical route at a steep cost, the average price of the vulnerability from the other buyers I was talking to was 475K. There have been attempts to hack me 2 days after requesting a quote from some buyers. The most I can hope from Apple is 1/4th that. It really is the poorest communication out of any program I've done with the exception of AT&T's, who patched an RCE in their employee portal I reported (two months later) and then emailed me 6 months later saying there was no RCE. I've been told Apple is getting better with their communication over time, and now their average turnaround is 10 months.
ZDI, like Apple, doesn't tell you the average price of the vulnerabilities you can sell to them when you email them (yes, Apple has example payout ranges, but they aren't clear on classification). At Pwn2Own, ZDI paid roughly half of what Apple should pay. When you consider Apple themselves are 1/4th the market price, thereby making ZDI 1/8th, it becomes impossible to work to them. I raised my concerns with ZDI, no reply.
I submitted some details (nothing technical, just the classification and affected platforms) of my vulnerability to Zerodium. Two days later someone tried to hack into all of my personal accounts and failed due to 2FA, and not many people have the email I used when I communicated with them. I've found other buyers outside the US, but I had ethical concerns and decided against them (at a 300K min loss).
This isn't a judgment, by the way. I'm naive about this area and genuinely curious.
I've found other buyers outside the US, but I had ethical concerns and decided against them (at a 300K min loss).
What type of buyers exist who are unable to fix the vulnerability (in this case, who are not Apple or the affected vendor or do not collaborate with Apple, etc.) but might be considered ethical to sell to?
That was my assumption, but my netsec knowledge could be written on a stamp, so who knows! ;-)
I imagine some people think being rewarded for finding vulnerabilities is unethical entirely, but there seems to be a huge dose of pragmatism around the space.
TOTP two factor authentication protected me. They attacked my recovery email to go for my primary, at the time my recovery provider didn't offer 2FA. I think they may have social engineered the recovery with my SSN (it was a randomly generated password). Then they used the recovery provider to buy time by adding 2FA options, I began recovering within a minute. It was impressive how quickly they worked, they tried to compromise 5 other accounts in 3 minutes. Unfortunately for them, all of the accounts they targeted from that point on had 2FA, and they lost access in 15 minutes.
Already done, with as much relevant information as I could compile. I hope they find who is attacking security researchers. If I had to guess, the motivation may be for the zerodays I have.
You tried to report to apple. You didn't like the way they "treated" you, so you decided to sell it on black market. The black market person tried to hack you. You then went to the fbi to complain about how your black market buyer treated you?
Am i missing something from this story? That seems like a really bad plan.
Yes, this is wrong, both in your timeline and description of the events. I said in my previous comments that the Apple bounty program didn't exist when I began (https://news.ycombinator.com/item?id=28471263) so I was forced to consider other buyers in order to get income as a researcher. I never claimed to entertain any black market buyers, nor would I. Zerodium isn't the black market, they sell to government buyers. Government buyers may be concerned with the manner of which their sources collect said zerodays. The black market is Crowdfense, Israeli/Chinese government, et al.
I assume you didn't tell Apple that you were negotiating with other buyers? I think most bug bounty programs will cut off communications at that point.
I've managed several programs for some very large companies and haggling over bounties with a researcher is a _really_ bad idea. You set your bounty amounts and stick to them. If people want to haggle over impact that's fine, but once you exceed your quoted bounty amount for one person then everyone expects it.
I looked for other buyers before Apple had a bug bounty program, not while talking with Apple. When I found an official way of submitting the vulnerability I cancelled my other negotiations (Apple is the correct channel and I wanted to see it fixed without exploitation). Regarding bounty amounts, I agree that they should clearly define the amounts for each factor of a complete exploit. That currently isn't done. The one thing everyone can give Zerodium credit for is being clear with their pricing, there's no ambiguity over whether you can keep your lights on by doing the research.
That's good. It's unfortunate that the best signal most companies can use for whether their bounty amounts are sufficient is report volume and quality rather than a pro-active "here's what others are paying" or impact to customers. If they set bounties too high initially they'll get swamped with low-quality reports and that will slow response times for the good ones.
The bean counters also play a big role. Most companies aren't ready for big bounty payouts when a program first starts. They set a fixed budget and are more likely to end a program completely if the bottom line cost is too high, regardless of the security impact. Security teams are aware of this and try to walk a fine line.
For researchers who are having problems with programs I'd suggest trying to form a better relationship with the triage teams and security teams. Be helpful, not confrontational. Companies get their best bang-for-buck when they can court good researchers. They love getting quality researchers who report multiple findings and they'll do quite a lot to make them happy, including paying bonus bounties for future reports and being far more transparent with triage status.
> Most companies aren't ready for big bounty payouts when a program first starts. They set a fixed budget and are more likely to end a program completely if the bottom line cost is too high, regardless of the security impact.
At the beginning of a high profile bug bounty program I'd expect higher expenditure than in the following fiscal year due to the backlog of researchers who really want to "sell" to an official channel, not a slow start.
Why companies project this idea that it is wrong that people ask to be compensated fairly for their hard work? The culture of exploitation of engineers is sickening.
Because it’s hard to distinguish between someone who’s trying to help you be more secure and someone who’s trying to extort hush money out of you for an error in your code.
It’s not hard to read it as “we don’t negotiate with terrorists”, and Apple (or Google or Amazon…) know people think they have deep pockets
What does it matter what the reporter's motivation is? The fact is, you have an unpatched vuln in your code, and you either pay up to discover more, or it blows up in your face an indeterminate amount of time later.
But they never contracted or asked you to do that hard work in the first place. You can’t mow my lawn without asking then demand that I pay you for your hard work.
Serious question. If Apple won’t treat you in an ethical manner then why go the ethical route? Why not just sell the sploit to the highest bidder? Seems like there’s a misplaced and unreciprocated sense of integrity on the part of many researchers.
I think this is a great question - In my opinion, carving the ethical path from the start can and should fulfill any moral obligation you might have.
If they don't want to play ball, take it to someone that will appreciate your work. Should it be used nefariously, you are still helping because they might take you more seriously next time, as they should have in the first place.
Considering the half hearted and sluggish response of certain huge companies I can see why some researchers chose the middle path and publicly disclose immediately.
Sometimes the ethical thing to do is adversarial. It forces better behavior for short term pain.
As far as exposing users, that makes assumptions about the actions of a number of people including the company in question which could, if it so desired, assemble the resources to push a fix within 48 hours.
Usually such poor community engagement correlats to lack of acceptance or slow fixing timings. The best recourse is to disclose publicly after set number of days (90).
Disagree if Apple is willfully mistreating people who it knows have zero days on them and want to work with them on fair terms, and then those zero days end up in the wrong hands, I place the blame SQUARLEY on Apple. I'm not going to victim blame a security researcher trying to put food on the table or provide for their family for what Apple forced their hand to do.
simply put if Apple doesn't find a way to come to an agreement with this person in a timely manner, they are just saying they see the zero day and the consequences for their users as acceptable losses as preferable to the payment
Apple is not behaving unethically here. There is no ethical imperative for apple to pay you or roll out the red carpet for you. Their ethical obligation is to not try to attack you legally or silence you. Beyond that, there is no obligations, just behaviours that are "nice".
Couldn't it be argued that they have a moral imperative to protect their customers and those whose livelihoods depend on the Mac ecosystem (internally and externally). I suppose obligations to shareholders are similar, but more transactional than moral.
What law is there against selling vuln to a random person on internet? And yeah you don't really need "Black" market. There is plenty "legit" companies around the globe that absolutely immoral, but their business as legal as it's could be.
If you sell something to someone and they use it to commit a crime, you are culpable if you even had a wiff that it was going to be used for something illegal. So if you're selling 0days on the blackmarket, you can bet your ass they will come after you sooner or later.
The companies that immoral & legal, have paved their own way, but since you're not going to be selling to governments directly, don't count on being able to get away with it.
Can you provide some examples in US / EU of people being charged for selling vulns on "black market"? Otherwise it's just baseless FUD.
I guess far bigger problem for researcher would be to actually not being scammed while selling and this is why companies like Zerodium have their marketshare.
Yeah someone could pay to you in crypto, but chances that you'll just gonna be scammed are extremely high.
There might not be a high profile "this dude sold a 0day and got arrested" case yet, but there are cases of folks selling software / hardware cracking tools getting indicted.
Dude caught serious prison time just for making hidden compartments in cars and they put him away based on the fact that he knew his customers where in the drug business.
Selling high impact 0days definitely seems like a risky business IMO.
Apple is trying to push a censorship module (that file scanner) onto every iPhone. That would be a massive damage to our society at a scale no black hat could ever make. Apple is certainly not a bastion of ethics.
Society's mores are pretty fungible. Who'da thunk that half of society would be fine with killing people if the alternative is sometimes wearing a paper mask and getting an injection?
I'm always surprised by companies like Apple that have so much money that paying out bounties should be no issue at all. It feels like Apple doesn't like being on the weaker side of a negotiation.
Maybe I'm a little naive, but I would set up a bounty program at Apple that was very lucrative for security researchers to report their bugs. The main goal would be to make the holders of security vulnerabilities concerned that someone might submit a bug report and make their million-dollar bug worth zero.
I have a CVE from Apple for a vulnerability in a consuming-facing mobile application RE improper data access & failed obfuscation of sensitive information. People think the CVE is cool and all, and it might help me get my next job, but for now it hasn't helped me put any food on the table. Maybe next time I'll call China, Russia, randoms on Twitter, go public before reporting to them, et cetera. Incentives are f'd up.
82 comments
[ 328 ms ] story [ 2653 ms ] threadYou can generate this snapshot on your own by using "Save Page Now" at: https://web.archive.org
If your web browser supports the extension, try Bypass Paywalls Clean:
- Firefox: https://addons.mozilla.org/en-US/firefox/addon/bypass-paywal...
- Chrome: https://gitlab.com/magnolia1234/bypass-paywalls-chrome-clean
I never knew that. I've often seen archive.org links posted like this but without realising you can actually initiate a snapshot! Thanks!
https://webcache.googleusercontent.com/search?q=cache:40fEbD...
It could be that 0-days are easier just to sell to black market and not bother with Apple's ridiculousness and red tape.
But a hack that allows arbitrary, malicious applications to be installed doesn't count; even though it could send any user files on the computer (so any data that is not encrypted by its consuming application). That seems...a bit of a logical leap. I mean, yes, it can't let you access iCloud photos, but a random JPG on your computer is totally fair game, so even with their list, it feels like it should be included (let alone the excel file with revenue figures that are going to be broadcast at the next quarterly result meeting with shareholders, or the HR docs containing PII, or...)
Perhaps Owens is lying. Perhaps this is misleading reporting, or otherwise occluding something. But on the surface of it, it sounds like no user intervention required.
My point is that just because you can get the user to execute your malicious executable under their user account does not grant you access to all their files, unlike what you would expect with traditional Unix permissions.
You can't really generalize either way from one, or even a few anecdotes.
I submitted some details (nothing technical, just the classification and affected platforms) of my vulnerability to Zerodium. Two days later someone tried to hack into all of my personal accounts and failed due to 2FA, and not many people have the email I used when I communicated with them. I've found other buyers outside the US, but I had ethical concerns and decided against them (at a 300K min loss).
I've found other buyers outside the US, but I had ethical concerns and decided against them (at a 300K min loss).
What type of buyers exist who are unable to fix the vulnerability (in this case, who are not Apple or the affected vendor or do not collaborate with Apple, etc.) but might be considered ethical to sell to?
I imagine some people think being rewarded for finding vulnerabilities is unethical entirely, but there seems to be a huge dose of pragmatism around the space.
Alternatively depending on how nationalistic someone feels NSA could be a eithical buyer for them as well.
How did you protect yourself against those?
Also, as a security researcher, are there alternatives you'd recommend more? Would Linux/Windows be more secure?
[1] https://tips.fbi.gov
You tried to report to apple. You didn't like the way they "treated" you, so you decided to sell it on black market. The black market person tried to hack you. You then went to the fbi to complain about how your black market buyer treated you?
Am i missing something from this story? That seems like a really bad plan.
On a serious note, I'm glad researchers like you exist.
I've managed several programs for some very large companies and haggling over bounties with a researcher is a _really_ bad idea. You set your bounty amounts and stick to them. If people want to haggle over impact that's fine, but once you exceed your quoted bounty amount for one person then everyone expects it.
The bean counters also play a big role. Most companies aren't ready for big bounty payouts when a program first starts. They set a fixed budget and are more likely to end a program completely if the bottom line cost is too high, regardless of the security impact. Security teams are aware of this and try to walk a fine line.
For researchers who are having problems with programs I'd suggest trying to form a better relationship with the triage teams and security teams. Be helpful, not confrontational. Companies get their best bang-for-buck when they can court good researchers. They love getting quality researchers who report multiple findings and they'll do quite a lot to make them happy, including paying bonus bounties for future reports and being far more transparent with triage status.
At the beginning of a high profile bug bounty program I'd expect higher expenditure than in the following fiscal year due to the backlog of researchers who really want to "sell" to an official channel, not a slow start.
It’s not hard to read it as “we don’t negotiate with terrorists”, and Apple (or Google or Amazon…) know people think they have deep pockets
<Giant bold white letters fade in against a black background>
A R R O G A N C E
If they don't want to play ball, take it to someone that will appreciate your work. Should it be used nefariously, you are still helping because they might take you more seriously next time, as they should have in the first place.
carrot versus stick.
As far as exposing users, that makes assumptions about the actions of a number of people including the company in question which could, if it so desired, assemble the resources to push a fix within 48 hours.
simply put if Apple doesn't find a way to come to an agreement with this person in a timely manner, they are just saying they see the zero day and the consequences for their users as acceptable losses as preferable to the payment
They'll also absolutely sell it to China, they'll just be quiet about it and use one of many Thailand-based intermediaries.
The companies that immoral & legal, have paved their own way, but since you're not going to be selling to governments directly, don't count on being able to get away with it.
I guess far bigger problem for researcher would be to actually not being scammed while selling and this is why companies like Zerodium have their marketshare.
Yeah someone could pay to you in crypto, but chances that you'll just gonna be scammed are extremely high.
There might not be a high profile "this dude sold a 0day and got arrested" case yet, but there are cases of folks selling software / hardware cracking tools getting indicted.
There's also this really interesting story:
https://www.wired.com/2013/03/alfred-anaya/
Dude caught serious prison time just for making hidden compartments in cars and they put him away based on the fact that he knew his customers where in the drug business.
Selling high impact 0days definitely seems like a risky business IMO.
How can I monetize ethics?
We live in a society. We try to abide by the mores.
Maybe I'm a little naive, but I would set up a bounty program at Apple that was very lucrative for security researchers to report their bugs. The main goal would be to make the holders of security vulnerabilities concerned that someone might submit a bug report and make their million-dollar bug worth zero.