82 comments

[ 328 ms ] story [ 2653 ms ] thread
Non-paywalled link?
Non-paywalled archive link: https://web.archive.org/web/20210909140946/https://www.washi...

You can generate this snapshot on your own by using "Save Page Now" at: https://web.archive.org

If your web browser supports the extension, try Bypass Paywalls Clean:

- Firefox: https://addons.mozilla.org/en-US/firefox/addon/bypass-paywal...

- Chrome: https://gitlab.com/magnolia1234/bypass-paywalls-chrome-clean

> You can generate this snapshot on your own

I never knew that. I've often seen archive.org links posted like this but without realising you can actually initiate a snapshot! Thanks!

How funny to find hackers trying to avoid paying journalists for their work on a story about a company that's trying to avoid paying hackers for their work.
xhk (etc). Nice spotting. You saved someone from drownig.
I haven't read the article, because fuck paywalls. But given the stories from hackers that drip here and there, I have got a feeling they are setting forth conditions that are too crazy to be even taken seriously, compared to competitors.

It could be that 0-days are easier just to sell to black market and not bother with Apple's ridiculousness and red tape.

A lot of CVE disclosures I've read involving Apple typically go cold-case for a few months after disclosure. The person responsible for the old Thunderbolt memory access hack (Thunderspy) didn't even hear back from Apple upon disclosing their findings, so I think it's safe to say that they're either understaffed or not interested in fixing your critical security vulnerability
$can_see_story_free = $javascript_enabled ? false : true;
Wow. "Apple’s bug bounty program offers $100,000 for attacks that gain “unauthorized access to sensitive data.” Apple defines sensitive data as access to contacts, mail, messages, notes, photos or location data."

But a hack that allows arbitrary, malicious applications to be installed doesn't count; even though it could send any user files on the computer (so any data that is not encrypted by its consuming application). That seems...a bit of a logical leap. I mean, yes, it can't let you access iCloud photos, but a random JPG on your computer is totally fair game, so even with their list, it feels like it should be included (let alone the excel file with revenue figures that are going to be broadcast at the next quarterly result meeting with shareholders, or the HR docs containing PII, or...)

A malicious application on macOS doesn’t automatically get access to the user’s sensitive data (contacts, photos, documents, etc). When an application tries to access those things the user normally gets a prompt from the OS to authorize such access. Verified bugs that allow circumvention of this prompt are what Apple is paying for.
From the article - "Owens created a hypothetical attack that gave hackers access to the victim’s files. He said in an interview that it could have hypothetically allowed hackers to access corporate servers, if the target computer were used by a corporation."

Perhaps Owens is lying. Perhaps this is misleading reporting, or otherwise occluding something. But on the surface of it, it sounds like no user intervention required.

Yeah so if he did as he claimed then he achieved the bypass Apple claims to be paying for. Now if Apple is lying and refusing to honour their bug bounty, that is another matter.

My point is that just because you can get the user to execute your malicious executable under their user account does not grant you access to all their files, unlike what you would expect with traditional Unix permissions.

Your point is taken, but also irrelevant to the specifics laid out in the article. I appreciate that "normally" the user may have to allow access to files and things (I'm not sure I've ever experienced that on a Mac before when installing applications; I installed Sublime and could open and edit files without any user dialogs, but maybe I disabled something, or working through the UI behaves differently or whatever), but the whole point being made is what the hacker says in the article would indicate it should have claimed the bounty.
Internal at Apple Ivan took over the team and then gotrid of all MSRC managers and half employees before rewards program launched. Team drove into ground after and churn through manager after manager, everyone leave
Apple sounds about as pleasant to work at as its platforms are to develop for.
Every large company has teams that are incredibly painful to work on, and ones that are not.

You can't really generalize either way from one, or even a few anecdotes.

Yep, this lines up with my experience. I've been trying to work with Apple on a critical security vulnerability for over a year now that affects over 100 million systems. When I'd ask the payout ranges at the beginning, I've had multiple people just block me as a contact and Apple themselves refuse to answer. Apple has a strict stance of submitting all of the research up front with no expectations as far as payment. Today, I've been ghosted by Apple, no reply to multiple emails. The last message I have is them saying they're fixing it. I chose the ethical route at a steep cost, the average price of the vulnerability from the other buyers I was talking to was 475K. There have been attempts to hack me 2 days after requesting a quote from some buyers. The most I can hope from Apple is 1/4th that. It really is the poorest communication out of any program I've done with the exception of AT&T's, who patched an RCE in their employee portal I reported (two months later) and then emailed me 6 months later saying there was no RCE. I've been told Apple is getting better with their communication over time, and now their average turnaround is 10 months.
Just curious - do you have an ethical stance against selling to ZDI/Zerodium?
OP edited their post to answer your question
ZDI, like Apple, doesn't tell you the average price of the vulnerabilities you can sell to them when you email them (yes, Apple has example payout ranges, but they aren't clear on classification). At Pwn2Own, ZDI paid roughly half of what Apple should pay. When you consider Apple themselves are 1/4th the market price, thereby making ZDI 1/8th, it becomes impossible to work to them. I raised my concerns with ZDI, no reply.

I submitted some details (nothing technical, just the classification and affected platforms) of my vulnerability to Zerodium. Two days later someone tried to hack into all of my personal accounts and failed due to 2FA, and not many people have the email I used when I communicated with them. I've found other buyers outside the US, but I had ethical concerns and decided against them (at a 300K min loss).

This isn't a judgment, by the way. I'm naive about this area and genuinely curious.

I've found other buyers outside the US, but I had ethical concerns and decided against them (at a 300K min loss).

What type of buyers exist who are unable to fix the vulnerability (in this case, who are not Apple or the affected vendor or do not collaborate with Apple, etc.) but might be considered ethical to sell to?

Come on, we both know the score here.. There is no ethical purchaser.
That was my assumption, but my netsec knowledge could be written on a stamp, so who knows! ;-)

I imagine some people think being rewarded for finding vulnerabilities is unethical entirely, but there seems to be a huge dose of pragmatism around the space.

In theory a large corp netsec team may buy zero days vulnerabilites and then either disable the affected systems or engage directly with the vendor.

Alternatively depending on how nationalistic someone feels NSA could be a eithical buyer for them as well.

> There have been attempts to hack me 2 days after requesting a quote from some buyers

How did you protect yourself against those?

Also, as a security researcher, are there alternatives you'd recommend more? Would Linux/Windows be more secure?

TOTP two factor authentication protected me. They attacked my recovery email to go for my primary, at the time my recovery provider didn't offer 2FA. I think they may have social engineered the recovery with my SSN (it was a randomly generated password). Then they used the recovery provider to buy time by adding 2FA options, I began recovering within a minute. It was impressive how quickly they worked, they tried to compromise 5 other accounts in 3 minutes. Unfortunately for them, all of the accounts they targeted from that point on had 2FA, and they lost access in 15 minutes.
If this happened to me, I'd send a tip to the FBI[1].

[1] https://tips.fbi.gov

Already done, with as much relevant information as I could compile. I hope they find who is attacking security researchers. If I had to guess, the motivation may be for the zerodays I have.
Wait a minute...

You tried to report to apple. You didn't like the way they "treated" you, so you decided to sell it on black market. The black market person tried to hack you. You then went to the fbi to complain about how your black market buyer treated you?

Am i missing something from this story? That seems like a really bad plan.

Yes, this is wrong, both in your timeline and description of the events. I said in my previous comments that the Apple bounty program didn't exist when I began (https://news.ycombinator.com/item?id=28471263) so I was forced to consider other buyers in order to get income as a researcher. I never claimed to entertain any black market buyers, nor would I. Zerodium isn't the black market, they sell to government buyers. Government buyers may be concerned with the manner of which their sources collect said zerodays. The black market is Crowdfense, Israeli/Chinese government, et al.
(comment deleted)
"Dear FBI, please tell your friends at the NSA to knock it off"

On a serious note, I'm glad researchers like you exist.

I assume you didn't tell Apple that you were negotiating with other buyers? I think most bug bounty programs will cut off communications at that point.

I've managed several programs for some very large companies and haggling over bounties with a researcher is a _really_ bad idea. You set your bounty amounts and stick to them. If people want to haggle over impact that's fine, but once you exceed your quoted bounty amount for one person then everyone expects it.

I looked for other buyers before Apple had a bug bounty program, not while talking with Apple. When I found an official way of submitting the vulnerability I cancelled my other negotiations (Apple is the correct channel and I wanted to see it fixed without exploitation). Regarding bounty amounts, I agree that they should clearly define the amounts for each factor of a complete exploit. That currently isn't done. The one thing everyone can give Zerodium credit for is being clear with their pricing, there's no ambiguity over whether you can keep your lights on by doing the research.
That's good. It's unfortunate that the best signal most companies can use for whether their bounty amounts are sufficient is report volume and quality rather than a pro-active "here's what others are paying" or impact to customers. If they set bounties too high initially they'll get swamped with low-quality reports and that will slow response times for the good ones.

The bean counters also play a big role. Most companies aren't ready for big bounty payouts when a program first starts. They set a fixed budget and are more likely to end a program completely if the bottom line cost is too high, regardless of the security impact. Security teams are aware of this and try to walk a fine line.

For researchers who are having problems with programs I'd suggest trying to form a better relationship with the triage teams and security teams. Be helpful, not confrontational. Companies get their best bang-for-buck when they can court good researchers. They love getting quality researchers who report multiple findings and they'll do quite a lot to make them happy, including paying bonus bounties for future reports and being far more transparent with triage status.

> Most companies aren't ready for big bounty payouts when a program first starts. They set a fixed budget and are more likely to end a program completely if the bottom line cost is too high, regardless of the security impact.

At the beginning of a high profile bug bounty program I'd expect higher expenditure than in the following fiscal year due to the backlog of researchers who really want to "sell" to an official channel, not a slow start.

Shhhh! If you demonstrate such clear thinking you’ll never get promoted to management…:)
Why companies project this idea that it is wrong that people ask to be compensated fairly for their hard work? The culture of exploitation of engineers is sickening.
Because it’s hard to distinguish between someone who’s trying to help you be more secure and someone who’s trying to extort hush money out of you for an error in your code.

It’s not hard to read it as “we don’t negotiate with terrorists”, and Apple (or Google or Amazon…) know people think they have deep pockets

Does the difference really matter provided that the bug bounties are paying market rates for the bugs that people submit?
What does it matter what the reporter's motivation is? The fact is, you have an unpatched vuln in your code, and you either pay up to discover more, or it blows up in your face an indeterminate amount of time later.
You mean they know people know they have deep pockets.
But they never contracted or asked you to do that hard work in the first place. You can’t mow my lawn without asking then demand that I pay you for your hard work.
> Apple has a strict stance of submitting all of the research up front with no expectations as far as payment

<Giant bold white letters fade in against a black background>

A R R O G A N C E

Serious question. If Apple won’t treat you in an ethical manner then why go the ethical route? Why not just sell the sploit to the highest bidder? Seems like there’s a misplaced and unreciprocated sense of integrity on the part of many researchers.
I think this is a great question - In my opinion, carving the ethical path from the start can and should fulfill any moral obligation you might have.

If they don't want to play ball, take it to someone that will appreciate your work. Should it be used nefariously, you are still helping because they might take you more seriously next time, as they should have in the first place.

carrot versus stick.

One, just because someone else is being unethical doesn't mean you can drop your ethics. Two: you don't really want to expose users to the exploit.
Considering the half hearted and sluggish response of certain huge companies I can see why some researchers chose the middle path and publicly disclose immediately.
Sometimes the ethical thing to do is adversarial. It forces better behavior for short term pain.

As far as exposing users, that makes assumptions about the actions of a number of people including the company in question which could, if it so desired, assemble the resources to push a fix within 48 hours.

Usually such poor community engagement correlats to lack of acceptance or slow fixing timings. The best recourse is to disclose publicly after set number of days (90).
Disagree if Apple is willfully mistreating people who it knows have zero days on them and want to work with them on fair terms, and then those zero days end up in the wrong hands, I place the blame SQUARLEY on Apple. I'm not going to victim blame a security researcher trying to put food on the table or provide for their family for what Apple forced their hand to do.

simply put if Apple doesn't find a way to come to an agreement with this person in a timely manner, they are just saying they see the zero day and the consequences for their users as acceptable losses as preferable to the payment

Because you will harm not only Apple, but also their users, who Apple has misled into thinking they are the secure choice.
Apple is not behaving unethically here. There is no ethical imperative for apple to pay you or roll out the red carpet for you. Their ethical obligation is to not try to attack you legally or silence you. Beyond that, there is no obligations, just behaviours that are "nice".
Apple has an ethical obligation to write secure software and incentivize efforts that would do this.
Couldn't it be argued that they have a moral imperative to protect their customers and those whose livelihoods depend on the Mac ecosystem (internally and externally). I suppose obligations to shareholders are similar, but more transactional than moral.
Maybe because their handelers are forbidding them to fix it until they are done with it... maybe I'm paranoid.
If I'm a hacker and I have an Apple 0-day, why the hell would I report it to Apple if I can quickly get a tidy payment on the black market?
Maybe because you don't want to be an arms dealer? Or you don't want to risk prison.
What law is there against selling vuln to a random person on internet? And yeah you don't really need "Black" market. There is plenty "legit" companies around the globe that absolutely immoral, but their business as legal as it's could be.
Precisely this. Zerodium will sell your bug to the FBI, who will be happy to use it to incarcerate more Americans.

They'll also absolutely sell it to China, they'll just be quiet about it and use one of many Thailand-based intermediaries.

If you sell something to someone and they use it to commit a crime, you are culpable if you even had a wiff that it was going to be used for something illegal. So if you're selling 0days on the blackmarket, you can bet your ass they will come after you sooner or later.

The companies that immoral & legal, have paved their own way, but since you're not going to be selling to governments directly, don't count on being able to get away with it.

Can you provide some examples in US / EU of people being charged for selling vulns on "black market"? Otherwise it's just baseless FUD.

I guess far bigger problem for researcher would be to actually not being scammed while selling and this is why companies like Zerodium have their marketshare.

Yeah someone could pay to you in crypto, but chances that you'll just gonna be scammed are extremely high.

It's not really baseless.

There might not be a high profile "this dude sold a 0day and got arrested" case yet, but there are cases of folks selling software / hardware cracking tools getting indicted.

There's also this really interesting story:

https://www.wired.com/2013/03/alfred-anaya/

Dude caught serious prison time just for making hidden compartments in cars and they put him away based on the fact that he knew his customers where in the drug business.

Selling high impact 0days definitely seems like a risky business IMO.

Not if you're selling to the agencies, it's a completely different playing field and the money is much more available.
Selling to agencies doesn't make you less of an arms dealer. It's up to you if you're ok with that or not.
That local 7-11 sure has a lot of cash and a sleepy clerk working it.

How can I monetize ethics?

We live in a society. We try to abide by the mores.

Apple is trying to push a censorship module (that file scanner) onto every iPhone. That would be a massive damage to our society at a scale no black hat could ever make. Apple is certainly not a bastion of ethics.
true, but as the saying goes... two wrongs a right does not make.
You do you. Don’t be surprised when you get cast off into exile. Society is pedagogically just.
Society's mores are pretty fungible. Who'da thunk that half of society would be fine with killing people if the alternative is sometimes wearing a paper mask and getting an injection?
Apple is not an ethical company. Why not sell your knowledge to someone who may have a good use for it, like saving lives?
I'm always surprised by companies like Apple that have so much money that paying out bounties should be no issue at all. It feels like Apple doesn't like being on the weaker side of a negotiation.

Maybe I'm a little naive, but I would set up a bounty program at Apple that was very lucrative for security researchers to report their bugs. The main goal would be to make the holders of security vulnerabilities concerned that someone might submit a bug report and make their million-dollar bug worth zero.

I have a CVE from Apple for a vulnerability in a consuming-facing mobile application RE improper data access & failed obfuscation of sensitive information. People think the CVE is cool and all, and it might help me get my next job, but for now it hasn't helped me put any food on the table. Maybe next time I'll call China, Russia, randoms on Twitter, go public before reporting to them, et cetera. Incentives are f'd up.
I have had two close friends quit recently, within a few months of each other. They both blamed management and especially Ivan Krstić.