When Apple announced its Security Bounty Program last year, researchers lined up to locate potentially dangerous bugs in the company’s platforms, keeping them secret in exchange for potentially large payouts. But after developer Jeff Johnson told Apple about a zero-day exploit that gives malicious actors access to a Safari user’s private files — an issue affecting even the beta version of macOS Big Sur — the company left the flaw unpatched for over six months, leading Johnson to give up on the bounty program and describe the company’s efforts as “security theater.”
The exploit is troubling: a Safari user tricked into downloading a seemingly innocuous file from a website can allow an attacker to create a dangerously modified clone of Safari, which macOS then treats as the original app. “Any restricted file that is accessible to Safari” then becomes accessible to the attacker, who can automate the sending of files that should have been protected to the attacker’s server.
As Johnson explains, this exploit is possible because Apple’s Transparency, Consent, and Control (TCC) privacy protections system allows exceptions to be created that only look at the app’s identifier, not where the file is being run from, and “only superficially checks the code signature of the app.” Consequently, a modified copy of Safari can be run from the wrong directory without triggering TCC protection, a problem that spans macOS 10.14 (Mojave), 10.15 (Catalina), and 11 (Big Sur).
Apart from the exploit, Johnson notes that Apple’s intermittent responses haven’t instilled confidence in either the speed or likelihood of timely payouts from the Security Bounty Program. Having reported the exploit in December 2019, on the day the company opened the Bounty Program, Johnson received a confirmation that Apple was planning to address the issue, but nothing has happened as of the end of June 2020. That’s “well beyond the bounds” of a 90-day “reasonable disclosure,” Johnson notes, and it’s “also becoming obvious that I will never get paid a bounty by Apple for anything I’ve reported to them, or at least not within a reasonable amount of time.”
Complaints regarding Apple’s slow responses to zero-day bug reports predate the Security Bounty Program, and include messy back and forths between Apple and Google’s Project Zero security teams. Johnson’s story of delayed responses and problematic payouts certainly isn’t unique, but arrives with the warning to users that “macOS privacy protections are mainly security theater,” harming only legitimate Mac developers while permitting malicious actors to weasel through cracks. “[Y]ou have the right to know that the systems you rely on for protection are not actually protecting you,” Johnson says, and despite claims to the contrary, “Apple’s debilitating lockdown of the Mac is not justified by alleged privacy and security benefits.”
Apple last told Johnson that it was still investigating the exploit yesterday, June 29. We’ll update this article if and when the company patches the bug in the beta version of Big Sur, which focuses a lot of attention on improvements to Safari, or its predecessors.
