A security researcher has demonstrated a macOS Mojave Keychain exploit that can be used to access the passwords stored in the Keychain. Linuz Henze says he is not sharing the information with Apple to protest Apple’s lack of a macOS bounty program.
Remember KeychainStealer by @patrickwardle which can steal all your keychain passwords?
While his vulnerability is patched now, I've found a new one, affecting macOS Mojave and lower.
More information can be found in my video:https://t.co/wBQL2s6v7z#OhBehaveHack #OhBehaveApple— Linus Henze (@LinusHenze) February 3, 2019
Henze has publicly shared legitimate iOS vulnerabilities in the past, so he has a track record of credibility.However, Henze is frustrated that Apple’s bug bounty program only applies to iOS, not macOS, and has decided not to release more information about his latest Keychain invasion.
The “KeySteal” demonstration app shown in the video doesn’t require Administrator privileges to pull off the attack. It also doesn’t matter whether Access Control Lists are set up. Henze claims the exploit will succeed on Macs with System Integrity Protection enabled.
The iCloud Keychain is not vulnerable, as it stores data in a different way.
Users can defend themselves by locking the login Keychain with an additional password. However, this isn’t the default configuration, and will also likely prove to be rather inconvenient as it results in endless security authentication dialogs when using your Mac.
Currently, we aren’t sure whether Apple is aware of the problem.
Henze says other hackers and security researchers should publicly release Mac security issues to put pressure on Apple to expand the bug bounty program to include macOS as well as iOS.