Person Who Discovered A macOS Security Bug Goes Public After Months Of Apple Not Fixing It

Software developer Jeff Johnson discovered and told Apple about a privacy bypass vulnerability opening up protected files in macOS Mojave, macOS Catalina, and the upcoming macOS Big Sur. This he thought was the responsible thing to do. But that was over six months ago. And the best Apple could come up with was that it was “investigating” what he reported. So after feeling that the folks at 1 Apple Park weren’t taking this security issue seriously, he’s decided to go public via this blog post that went online yesterday. In this blog post he’s laid out the timeline in terms of when it was reported and what happened next. Then he says this:

For technical reasons, I don’t believe that the issue will be fixed by Apple before Big Sur is released to the public in the Fall. I’ve seen no evidence that Big Sur makes any effort in this direction, and Apple’s email to me shows no evidence of that either. Therefore, I’m disclosing the issue now. It’s been over 6 months since I reported the issue to Apple. This is well beyond the bounds of “responsible disclosure”, which is typically 90 days after reporting an issue to a vendor. It’s also becoming obvious that I will never get paid a bounty by Apple for anything I’ve reported to them, or at least not within a reasonable amount of time. I’m not interested in waiting years for a bounty. I can’t speak for anyone else, but my personal experience is that the Apple Security Bounty Program has been a disappointment, and I don’t plan to participate again in the future. 

Well, that’s a pretty damming statement when it comes to Apple’s Security Bounty program. If people don’t have confidence that Apple will act on the things that they report, then they won’t use it. And what is really bad is that  he revealed a similar issue last October after reporting it in February of that year and waited eight months for Apple to fix it without success.

Besides that, he gives readers this to think about:

Should you be worried about this issue? That depends on how you feel in general about macOS privacy protections. Prior to Mojave, the privacy protections feature did not exist at all on the Mac, so you’re not any worse off now than you were on High Sierra and earlier. My personal opinion is that macOS privacy protections are mainly security theater and only harm legitimate Mac developers while allowing malware apps to bypass them through many existing holes such as the one I’m disclosing, and that other security researchers have also found. I feel that if you already have a hostile non-sandboxed app running on your Mac, then you’re in big trouble regardless, so these privacy protections won’t save you. The best security is to be selective about which software you install, to be careful to avoid ever installing malware on your Mac in the first place. There’s a reason that my security research has focused on macOS privacy protections: my goal is to show that Apple’s debilitating lockdown of the Mac is not justified by alleged privacy and security benefits. In that respect, I think I’ve proved my point, over and over again. In any case, you have the right to know that the systems you rely on for protection are not actually protecting you.

Here’s my $0.02 worth. Apple makes a lot of noise about privacy and security. But reading the above statement makes it appear that Apple is only paying lip service to privacy and security. If Apple were actually serious about this, they would not only respond to this developer in public and address his claims in public, but they would also make a statement about why users of their products should trust in their products to keep them secure, and what they are going to do to walk the walk as opposed to just talking the talk. But I am not naive. That won’t happen because Apple isn’t that sort of company. They never have been. And clearly they never will be. And that will come back to haunt them sooner or later.

Leave a Reply

%d bloggers like this: