Security Researcher Discovers Exploit That Steals Passwords Stored In The macOS Keychain… But He Won’t Talk To Apple

Well here’s an interesting situation. Security researcher Linuz Henze has shared a video of an exploit that allows someone to steal passwords that are stored in the macOS (Mojave specifically) keychain without needing admin level access. Not only that, there is almost no way to stop the exploit. Here’s the YouTube video of the exploit in action:

The only way to stop it is to password protect the login keychain. But that would add complexity from a user experience perspective which may not make this the best way to approach fixing this. Thus Apple likely needs to step in and fix this. And that’s where the problems begin as Henze isn’t handing over the details to Apple because Henze is frustrated that Apple’s bug bounty program only applies to iOS and not macOS according to this German publication. That likely means that others will try to reverse engineer this and turn it into something that can be weaponized unless Apple can reverse engineer it and quickly fix it. Or they play nice with the security community and improve their bug bounty program. We’ll see which path they take.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: