Zero-Click Calendar invite vulnerability chain in macOS(mikko-kenttala.medium.com) |
Zero-Click Calendar invite vulnerability chain in macOS(mikko-kenttala.medium.com) |
I just did a quick test on my Sonoma 14.6.1 system. Hold the Option key while opening Photos to create a new photo library in ~/Pictures; then use an app without full disk access permission and without photo permission to access that folder. That app was denied access. Then do the same except the new photo library is created in /tmp. That same app is allowed access. This behavior is baffling and inconsistent.
If Apple really intends to support the feature of allowing the user to relocate their photo library to anywhere on the file system, they need to apply the protection properly.
you're welcome
Shaming Ivan, the head of SEAR, on Twitter is how people who should get paid bounties, but aren't, make progress.
The only crusade I'm on is against the idea that companies ruthlessly avoid paying bounties, which is, on information and belief, flatly false, like, the opposite of the truth. I think it's valuable for people to get an intuition for that.
Thanks for this!
But does that matter to security researchers or the public? No. Apple should fix their bounty program regardless of the reason it's broken.
Ultimately, this blog post is just another example on the already large pile[1][2][3][4][5]
1: https://arstechnica.com/information-technology/2021/09/three...
2: https://mjtsai.com/blog/2021/07/13/more-trouble-with-the-app...
3: https://medium.com/macoclock/apple-security-bounty-a-persona...
4: https://theevilbit.github.io/posts/experiences_with_asb/
5: https://shail-official.medium.com/accessing-apples-internal-...
I'd be rueful about leaving so many holes in my original argument, but I think these are useful conversations to have. Thanks!
If you think that any major vendor bug bounty has incentives to stiff researchers, I'm commenting to tell you that's a strong sign you should dig deeper into the dynamics of bounty programs. They do not have those incentives.
It’s one of the most infuriating and frustrating experiences I ever had in computing. They clearly don’t want you sharing the issue publicly, but just string you along indefinitely. I’m honestly reaching my limit.
I don’t even care about the bounty money, I just want the bugs fixed. I’d give them all the latitude in the world if I thought the matters were taken seriously, but I don’t believe they are.
And now we starting to get a lot of AI generated submitted stuff. Take a lot of effort just sort trough the bullshit to accept the good ones, and then to manage it and fix things within SLA when not critical is very easy it gets pushed very down the backlog, competing with all different kind of request from customers to fix things. Code changes might be a one liner but testing etc can blow up stuff to be a very long process.
See the rest of the thread for a further response on this, esp. w/r/t Apple itself.
> The sums involved are not meaningful to the company
Which makes it the more bewildering to see how mishappen the handling is
The easiest way to show this would be to give the responsibility of managing the bug bounty to a third party who isn't involved in the business.
Seems just way too many different systems have the ability to modify those flags.
What's the scope of this? Can anyone on macOS anywhere really just send random invites to anyone else who uses icloud? Who would even want that?
That's bad engineering.
> The attacker can exploit this to conduct a successful directory traversal attack by setting an arbitrary path to a file in the ATTACH section with: “FILENAME=../../../PoC.txt”.
Edit: and there are actually 4 library functions with subtly different behaviors
Any guess on the bounty amount for this zero-click vulnerability, with a 5 step exploit chain for macOS?
The fact that security researchers are completely at the mercy of the companies made me choose to do software Eng instead. Much more stable.
Weird that it's been 2 years now and Apple still hasn't paid anything.
Really highlights why people might tend to gravitate towards that route instead of going thru the legit bug bounty process.
CVE-2022–46723 was reported 2022-08-08 and fixed later on 2022-10-24, which the author of this post was credited by Apple for reporting.
NSO Group would have paid more, quicker
Bug bounties will pay for any bug. Offensive firms only pay for things that are practical, and they don't pay everything up front---it depends on the lifetime of the exploit. The business model is closer to a subscription or services.
There is no reason to believe NSO group would pay more, and they certainly wouldn't pay quicker.
I thought it was a zero click exploit?
As for being interested in iCloud and photos, is the argument that the people they’re looking to attack are unlikely to use iCloud? Cause otherwise getting photos and potentially email access seems quite valuable.
This one didn't.
I know Apple has now switched to 10 years for MacOS, and 7ish years of iOS, but I hope the EU passes some laws to make this a requirement, rather than something a company can choose to provide or not.
2022–08–08: Arbitrary file write and delete in Calendar sandbox reported
2022–10–24: (No CVE) fixed in macOS Monterey 12.6.1 and Ventura 13 (Ventura beta3 was vulnerable)
One thing I think you won't like about this is that it's easier for large commercial vendors to comply than it is for open source projects.
I think they could use a little more ritualized shaming: https://en.wikipedia.org/wiki/Leveling_mechanism
Only Linus is brave enough to do this.
I was really expecting you to say this doesn't happen, I'm now left wondering why security researcher's are willing to take such risks.
>2024–09–12: Still no bounty [...].
Apples bounty payouts are ball-parked here:
> Zero-click unauthorized access to sensitive data $5,000 to $500,000
Boss: Why aren't you in the meeting with our vendor to upgrade our X system?
You: Oh I whitelist all my invites. You see, I am thinking about security and don't want to receive invites from someone I don't know.
Boss: Clear your desk, security will walk you out.
ExternalUser: Hello here is a calendar invite I would like you to attend, please confirm or deny
User: Thank you, now I can verify the request and choose to add this to my calendar or not
If I work with them, I would have them whitelisted. If I've never even heard of them they have no business sending my devices calendar invites.
Boss: Why aren't you working on that project I gave you?
You: Some stranger in Indonesia invited me to a sales meeting instead.
Boss: If I need you to go to a sales meeting with someone from Indonesia I'll tell you to! Clear your desk!
(This stockpiling thing isn't me guessing; it's something I learned pretty recently).
No idea what portion non-western journalists use Macs.
This is not from an examination of when bug programs work but when they have very demonstrably not worked in the past.
If the cost of an uncharitable blog post is less than the cost of paying out the bounty, then a company would still be incentivized to find as many reasons to reject a payout as possible, as long as future reporters still believe they have a good chance of receiving a payout (e.g., if they believe they can sideskirt any rejection reasons).
If someone is going to make some demand for my time, the very least they can do is give me notice outside of my icloud calendar. An email, an IM, a phone call, etc are all very easy and they allow me to make sure it's real before it has any chance to interfere with my schedule. "Hey Boss, this guy says he's our new IT guy and he wants to talk about my network settings" or "Hey $vendor, I just got a call from $rando saying he's our new contact, can you verify that for me before I tell him everything I know about your propriety applications?"
It helps that I like to keep my work devices and my personal devices entirely separate. If someone in the office wants to pull me into a work meeting through outlook, they'll already have to have an account set up on the company's exchange server. Anyone outside of the company I should already have a relationship with or at least a heads up.
Keep in mind also that the economics of bug bounties are different than those of the "black market". Bounties quote lower prices because they're offering assured payouts, often with lower exploit proof and enablement requirements. They're not actually apples and oranges.
Every organization includes a mess of situations where the overall best interest of the organization no longer comes through. Groups and individuals don't want to admit mistakes both personal and in wider senses and have alliances, competitions, team and organizational loyalty that twists their behavior.
A lot of organizations know they would benefit from having a proper whistle blower program and then proceed to crucify the first person who uses it.
Eh, it's likely usually true, but I've worked for a company which was attracted to the bounty program idea mainly for the optics and very much did push back on/was very reluctant to pay out on bounties.
And when I say "for the optics" I mean not only for the company being able to boast about having a bounty program but also the executive in question having something for his quarterly report. Having it not be too expensive was definitely part of the deal.
Needless to say this was a terrible company with terrible leadership, but it's a data point...
Apple historically used to have a deservedly good reputation for this. I was quite shocked at this story.
Definitely not, in fact rather the opposite. I was just sharing the anecdote as a counter to the otherwise fairly blanket claims being made upstream.
Are they? Apple only started their bug bounty program (with monetary rewards) merely 5 years ago, 12 years after first iOS release and well after everyone else. They are not very transparent about bugs and payouts (which is understandable) so I wonder where this good reputation comes from?
(if you count their invitation-only program then it started in 2016, 8 years ago)
A little adjacent to your question but relevant enough I think.
Customer meetings I get invited to often come from someone I’ve never dealt with before, but include others who I work with who were responsible for bringing me into it.
Another in my long-running dramatic series "businesses pay spectacularly more for determinism and predictability than nerds like us account for".
Look up "apple bug bounty" on Google, or any other search engine of your choice, and you'll find absolutely no shortage of people complaining of issues with the program. If these complaints each cost Apple a bajillion dollars, then why haven't they shut down their program already?
Or, if almost all of those complaints are just from the reporter being dumb, then how are potential future reporters (who would care about the company's prospenity to pay) supposed to find actual meaningful complaints among the noise?
I don't think that sporadic blog posts are nearly as powerful as you're making them out to me: my intuition tells me that the company can usually ignore them safely, short of them making front-page news.
The only thing here I'm going to push back on, and forcefully, is the idea that bounty programs have an incentive to stiff researchers. They do not. I cannot emphasize enough how "not real money" these sums are. Bounty program operators, the people staffing these programs, don't get measured on how few bounties they pay out.
After all, it's not like Apple goes around handing out free iPhones on the street, even though a few thousand units are similarly "not real money". Businesses care about small effects on the margin.
I replied upstream as well, but let me push back here as well. They can actually, if the bounty program is being run for the wrong reasons, which can happen - I know anecdotes aren't data, but I've seen one case first-hand.
If a bounty program is treated as a marketing project and/or an "executive value" project then they can and will be managed as a cost center and those costs will be deliberately minimized. Bang for buck. Now obviously this is perverse but if making your manager happy isn't an incentive then I don't know what to tell you.
But then I can see your point to a degree at least.
None of this is to say that the program is managed perfectly, as has been pointed out elsewhere on the thread. I'm not qualified to have a take on that question.
(I have no opinions in either direction about whether Apple is denying bounty payments because of difficulties operating the program!)
After all, one might easily imagine a forgiving rule of "we'll pay some amount of money (whether large or small) for any security issue we actively fix based on the information in the report", and yet Apple seemingly chooses to be more fussy than that in this case, unless they're just being extremely slow. I just don't see any way to square such apparent fussiness with your experience of bug bounty programs leaning toward paying out more.