February 11, 2019
By Michael Kan
An 18-year-old security researcher has discovered a macOS bug that can expose passwords in Apple’s Keychain software. But he’s refusing to hand over the details to Apple because the company doesn’t offer rewards for finding macOS flaws.
The researcher, Linus Henze, posted a video demonstrating the so-called “KeySteal” exploit. It shows him running a rigged application on a MacBook Pro that then extracts all the login credentials stored in the macOS password management system, Keychain Access.
His rigged application only needs a few seconds to run before it can reveal all the stored usernames and passwords in plain text. The vulnerability affects “macOS Mojave and lower,” Henze tweeted.
Typically, when a software bug is found the discoverer reports it to the vendor for immediate patching. But not this time. “It’s like [Apple doesn’t] really care about macOS,” Henze told Forbes. “Finding vulnerabilities like this one takes time, and I just think that paying researchers is the right thing to do because we’re helping Apple to make their product more secure.”
Apple’s bug bounty program currently only applies to iOS and is invite-only (and an Arizona teen might soon see a payday for a FaceTime bug he found). All other software flaws and glitches can be reported to Apple’s developer-oriented Bug Reporting program.
A separate Mac security researcher, Patrick Wardle, told PCMag he tested Henze’s Keychain exploit and it’s legit. He agrees that Apple should offer a bug bounty program for macOS.
“If [Apple] cared about the security of macOS and their users in my humble opinion it’s a no-brainer,” Wardle said. “It will it only encourage more security researchers to find these kind of bugs that Apple is clearly missing.”
So far, Apple hasn’t commented on the macOS bug. But Henze claims the company already emailed him for the details. The good news is that the German security researcher doesn’t plan to sell details about the flaw to malicious hackers or cyber arms dealers.
“I definitely know that I won’t keep it forever (and I definitely won’t sell it!). I’ll probably present my findings someday,” he tweeted.
To protect yourself from Henze’s exploit, it’s best to avoid installing applications from untrusted sources. The exploit also doesn’t work if the Keychain Access app has been locked.
Copyright 2019 Ziff Davis Media Inc. All Rights Reserved.
Quality News Today is an ASQ member benefit offering quality related news
from around the world every business day.