The IT Nerd

Well here’s an interesting situation. Security researcher Linuz Henze has shared a video of an exploit that allows someone to steal passwords that are stored in the macOS (Mojave specifically) keychain without needing admin level access. Not only that, there is almost no way to stop the exploit. Here’s the YouTube video of the exploit in action:

The only way to stop it is to password protect the login keychain. But that would add complexity from a user experience perspective which may not make this the best way to approach fixing this. Thus Apple likely needs to step in and fix this. And that’s where the problems begin as Henze isn’t handing over the details to Apple because Henze is frustrated that Apple’s bug bounty program only applies to iOS and not macOS according to this German publication. That likely means that others will try to reverse engineer this and turn it into something that can be weaponized unless Apple can reverse engineer it and quickly fix it. Or they play nice with the security community and improve their bug bounty program. We’ll see which path they take.

This entry was posted on February 6, 2019 at 8:32 am and is filed under Commentary with tags Apple. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.