A US teenager who discovered a security flaw in Apple’s FaceTime video-calling system will be paid a “bug bounty” from the tech giant, plus an additional gift toward his education.
The exact amount 14-year-old Grant Thompson will receive has not been disclosed, but Apple’s “bug bounty” program launched in 2016 offers payments between $A35,000 and $A280,000 depending on the seriousness of the exploit discovered.
While getting financially rewarded for uncovering and reporting exploits - a piece of programmed software or script which can allow hackers to take control over a system - to Apple sounds like a lucrative endeavor, the company only offers bounties for five different categories of exploits.
And the bug bounty program is currently available by invitation only.
It’s for this reason a German teenager is holding Apple to ransom over a major bug in mac-OS that allows an attacker to access data from the Key-chain without admin rights.
Key-chain Access is a mac-OS app that stores passwords so users don’t have to enter them every time they access a website, email account, network server or another password-protected item – this means the hack could give Facebook, banking and Netflix logins just to name a few.
Researcher Linus Henze discovered the vulnerability in the feature and uploaded a video to YouTube showing how he can easily extract login details from anyone's Apple computer.
"In this video, I'll show you a zero-day exploit that allows me to extract all your (local) key-chain passwords on mac-OS Mojave, and lower versions," he wrote in the video description.
Henze has not published any proof-of-concept code to support his finding, instead he is waiting for Apple to come to the table with some cash as part of its bug bounty program.
The 18-year-old has said he will not reveal details of the exploit to Apple until the company include MacOS exploits in its bug bounty program – currently Apple only paying bounties for iOS and iCloud vulnerabilities.
"Even if it looks like I'm doing this just for money, this is not my motivation at all in this case," Henze told ZDNet.
"My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and researchers."
"I really love Apple products, and I want to make them more secure. The best way to make them more secure would be, in my opinion, if Apple creates a bug bounty program – like other big companies already have."
Bug bounties are nothing new, with Google announcing last week it had paid out more than $A21m since launching its program in 2010. The company paid $A4.42m to 317 different security researchers in last year alone.
Facebook has also paid more than $A10.5m since it launched its program in 2011, with the social media giant compensating researchers $1.5m in 2018.
The exact amount 14-year-old Grant Thompson will receive has not been disclosed, but Apple’s “bug bounty” program launched in 2016 offers payments between $A35,000 and $A280,000 depending on the seriousness of the exploit discovered.
While getting financially rewarded for uncovering and reporting exploits - a piece of programmed software or script which can allow hackers to take control over a system - to Apple sounds like a lucrative endeavor, the company only offers bounties for five different categories of exploits.
And the bug bounty program is currently available by invitation only.
It’s for this reason a German teenager is holding Apple to ransom over a major bug in mac-OS that allows an attacker to access data from the Key-chain without admin rights.
Key-chain Access is a mac-OS app that stores passwords so users don’t have to enter them every time they access a website, email account, network server or another password-protected item – this means the hack could give Facebook, banking and Netflix logins just to name a few.
Researcher Linus Henze discovered the vulnerability in the feature and uploaded a video to YouTube showing how he can easily extract login details from anyone's Apple computer.
"In this video, I'll show you a zero-day exploit that allows me to extract all your (local) key-chain passwords on mac-OS Mojave, and lower versions," he wrote in the video description.
Henze has not published any proof-of-concept code to support his finding, instead he is waiting for Apple to come to the table with some cash as part of its bug bounty program.
The 18-year-old has said he will not reveal details of the exploit to Apple until the company include MacOS exploits in its bug bounty program – currently Apple only paying bounties for iOS and iCloud vulnerabilities.
"Even if it looks like I'm doing this just for money, this is not my motivation at all in this case," Henze told ZDNet.
"My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and researchers."
"I really love Apple products, and I want to make them more secure. The best way to make them more secure would be, in my opinion, if Apple creates a bug bounty program – like other big companies already have."
Bug bounties are nothing new, with Google announcing last week it had paid out more than $A21m since launching its program in 2010. The company paid $A4.42m to 317 different security researchers in last year alone.
Facebook has also paid more than $A10.5m since it launched its program in 2011, with the social media giant compensating researchers $1.5m in 2018.
Comments
Post a Comment