When Apple announced its Security Bounty Program last year, researchers lined up to locate potentially dangerous bugs, keeping them secret in exchange for potentially large payouts. Developer Jeff Johnson promptly told Apple about a zero-day exploit that gives malicious actors access to a Safari browser user’s private files — an issue affecting even the beta version of macOS Big Sur. But he claims the company left the flaw unpatched for over six months, leading Johnson to give up on the bounty program and describe the company’s efforts as “security theater.”
The exploit is troubling: A Safari user tricked into downloading a seemingly innocuous file from a website can allow an attacker to create a dangerously modified clone of Safari, which macOS then treats as the original app. “Any restricted file that is accessible to Safari” then becomes accessible to the attacker, who can automate the sending of what should have been protected files to the attacker’s server.
As Johnson explains, this exploit is possible because Apple’s Transparency, Consent, and Control (TCC) privacy protection system allows exceptions that only look at the app’s identifier, not where the file is being run from, and “only superficially checks the code signature of the app.” Consequently, a modified copy of Safari can be run from the wrong directory without triggering TCC protection, a problem that spans macOS 10.14 (Mojave), 10.15 (Catalina), and 11 (Big Sur), exposing untold millions of consumers and businesses to unauthorized sharing of their supposedly secure private data.
Apart from the exploit, Johnson notes that Apple’s intermittent responses haven’t instilled confidence in either the speed or likelihood of timely payouts from the Security Bounty Program. Having reported the exploit in December 2019, on the day the company opened the Bounty Program, Johnson received a confirmation that Apple was planning to address the issue, but as of the end of June 2020, nothing has happened. That goes “well beyond the bounds” of a 90-day “reasonable disclosure,” Johnson says, and for at least the second time in his personal experience. It’s “becoming obvious that I will never get paid a bounty by Apple for anything I’ve reported to them, or at least not within a reasonable amount of time.”
Complaints regarding Apple’s slow responses to zero-day bug reports predate the Security Bounty Program and include back-and-forth exchanges between Apple and Google’s Project Zero security teams. Johnson’s story of delayed responses and problematic payouts certainly isn’t unique, but it arrives with the warning to users that “macOS privacy protections are mainly security theater,” harming legitimate Mac developers while permitting malicious actors to weasel through cracks. “You have the right to know that the systems you rely on for protection are not actually protecting you,” Johnson says, adding that despite claims to the contrary, “Apple’s debilitating lockdown of the Mac is not justified by alleged privacy and security benefits.”
Yesterday, Apple told Johnson the company is still investigating the exploit. We’ll update this article if and when Apple patches the bug in the beta version of Big Sur, which focuses a lot of attention on improvements to Safari.