News

Security Researcher’s Video Demos macOS Mojave Keychain Exploit, But He Won’t Share Information With Apple in Protest

A security researcher has demonstrated a macOS Mojave Keychain exploit that can be used to access the passwords stored in the Keychain. Linuz Henze says he is not sharing the information with Apple to protest Apple’s lack of a macOS bounty program.



9to5Mac:

Henze has publicly shared legitimate iOS vulnerabilities in the past, so he has a track record of credibility.

However, Henze is frustrated that Apple’s bug bounty program only applies to iOS, not macOS, and has decided not to release more information about his latest Keychain invasion.

The “KeySteal” demonstration app shown in the video doesn’t require Administrator privileges to pull off the attack. It also doesn’t matter whether Access Control Lists are set up. Henze claims the exploit will succeed on Macs with System Integrity Protection enabled.

The iCloud Keychain is not vulnerable, as it stores data in a different way.

Users can defend themselves by locking the login Keychain with an additional password. However, this isn’t the default configuration, and will also likely prove to be rather inconvenient as it results in endless security authentication dialogs when using your Mac.

Currently, we aren’t sure whether Apple is aware of the problem.

Henze says other hackers and security researchers should publicly release Mac security issues to put pressure on Apple to expand the bug bounty program to include macOS as well as iOS.

Chris Hauk

Chris is a Senior Editor at Mactrast. He lives somewhere in the deep Southern part of America, and yes, he has to pump in both sunshine and the Internet.