German teen Linus Henze has shared with Apple the details of the “KeySteal” macOS Keychain security flaw he discovered last month. Henze had initially declined to share the details of the flaw due to the company’s lack of a software bug bounty program for Mac.
Henze named the zero-day macOS vulnerability he found “KeySteal.” The flaw can be exploited to disclose all of the sensitive data store in the Mac Keychain app.
The “KeySteal” demonstration app shown in the video below doesn’t require Administrator privileges to pull off the attack. It also doesn’t matter whether Access Control Lists are set up. Henze claims the exploit will succeed on Macs with System Integrity Protection enabled.
Henze says he eventually decided to turn over the details of the flaw to Apple because the bug “is very critical and because the security of macOS users is important to me.”
I’ve decided to submit my keychain exploit to @Apple, even though they did not react, as it is very critical and because the security of macOS users is important to me. I’ve sent them the full details including a patch. For free of course.
— Linus Henze (@LinusHenze) February 28, 2019
Henze at first said he wouldn’t provide to Apple any details of the exploit, due to Apple’s lack of a Mac bug bounty program such as they have for iOS bugs.
“Even if it looks like I’m doing this just for money, this is not my motivation at all in this case,” said Henze. “My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and researchers.”