It's been ten years, so a short story about the "gotofail" bug.
-
It's been ten years, so a short story about the "gotofail" bug.
Someone came to me about a catastrophic vulnerability in Apple's TLS implementation.
I shit you not, they'd overheard someone at a bar drunkenly bragging about how they were going to sell it to a FVEY intelligence agency for six figures.
They didn't know exactly what it was, just some vague details and the key point that it allowed use of the real certificate.
This was enough for me to find the bug (yay open source), which would go on to be known as "gotofail", and produce a working exploit in less than a day.
The details were anonymously back channelled to Apple, who released a fix.
@matthew_d_green posted on Twitter about it, concerned by Apple's vague release notes.
I used a burner phone to share the details with him anonymously.
Then everyone forgot about the whole thing because heartbleed.
¯\_(ツ)_/¯
-
Charlottereplied to Ryan Castellucci :nonbinary_flag: last edited by
@ryanc newbie question: why did you go to such lengths to report it anonymously? To avoid tipping the person you overheard it from/to avoid potential blowback from apple? I'm curious where the defensive measures come from, not questioning their appropriateness
-
Ryan Castellucci :nonbinary_flag:replied to Charlotte last edited by
@Foritus At the time, it seemed plausible that the bug had been deliberately added, and the people who might plausibly do that aren't people I wanted to be aware of me or the other folks involved.
The people who were going to sell it were also a concern.
