MacOS Bug Can Expose Passwords in Keychain Access App

February 11, 2019

By Michael Kan

An 18-year-old security researcher has discovered a macOS bug that can expose passwords in Apples Keychain software. But hes refusing to hand over the details to Apple because the company doesnt offer rewards for finding macOS flaws.

The researcher, Linus Henze, posted a video demonstrating the so-called KeySteal exploit. It shows him running a rigged application on a MacBook Pro that then extracts all the login credentials stored in the macOS password management system, Keychain Access.

His rigged application only needs a few seconds to run before it can reveal all the stored usernames and passwords in plain text. The vulnerability affects macOS Mojave and lower, Henze tweeted.

Typically, when a software bug is found the discoverer reports it to the vendor for immediate patching. But not this time. Its like [Apple doesnt] really care about macOS, Henze told Forbes. Finding vulnerabilities like this one takes time, and I just think that paying researchers is the right thing to do because were helping Apple to make their product more secure.

Apples bug bounty program currently only applies to iOS and is invite-only (and an Arizona teen might soon see a payday for a FaceTime bug he found). All other software flaws and glitches can be reported to Apples developer-oriented Bug Reporting program.

A separate Mac security researcher, Patrick Wardle, told PCMag he tested Henzes Keychain exploit and its legit. He agrees that Apple should offer a bug bounty program for macOS.

If [Apple] cared about the security of macOS and their users in my humble opinion its a no-brainer, Wardle said. It will it only encourage more security researchers to find these kind of bugs that Apple is clearly missing.

So far, Apple hasnt commented on the macOS bug. But Henze claims the company already emailed him for the details. The good news is that the German security researcher doesnt plan to sell details about the flaw to malicious hackers or cyber arms dealers.

I definitely know that I wont keep it forever (and I definitely wont sell it!). Ill probably present my findings someday, he tweeted.

To protect yourself from Henzes exploit, its best to avoid installing applications from untrusted sources. The exploit also doesnt work if the Keychain Access app has been locked.

Copyright 2019 Ziff Davis Media Inc. All Rights Reserved.

Copyright © LexisNexis, a division of Reed Elsevier Inc. All rights reserved.  
Terms and Conditions   
Privacy Policy

Quality News Today is an ASQ member benefit offering quality related news
from around the world every business day.

Click here to read the entire article: Quality News Today.