14 DAY TRIAL // Security researcher Linus Henze has found a vulnerability in Apple's macOS operating system that would allow an attacker to obtain user's login and system passwords with the right tools.
The researcher demoed an app called "KeySteal" on YouTube (you can see it in action below), which appears to be capable of extracting login and system passwords from the macOS Keychain utility without the need of the administrator (root) password.
Linus Henze's KeySteal app leverages a new macOS Keychain exploit, so it works even if the Access Control Lists (ACL) and System Integrity Protection (SIP) are not configured. But the good news is that this vulnerability doesn't affect your iCloud Keychain credentials.
The Keychain exploit discovered by Linus Henze looks to affect the latest macOS Mojave 10.14 operating system series from version 10.14 to 10.14.3. However, the researcher refuses to share any details with Apple about his vulnerability in protest that the tech giant doesn't have a bug bounty program for macOS.
"It's like they don't really care about macOS," Linus Henze told Forbes. "Finding vulnerabilities like this one takes time, and I just think that paying researchers is the right thing to do because we're helping Apple to make their product more secure."
Apple needs a bug bounty program for macOS
Apple won't be able to patch the Keychain exploit found by Linus Henze in the macOS operating system as the Cupertino, California based company doesn't have a bug bounty program for macOS, but only for iOS. However, we believe that Apple will find a way to pay Henze for his discovery and address the issue in time.
With that in mind, we think Apple should open a bug bounty program for macOS as well, so that it can patch security holes like the one discovered by Linus Henze and keep our Macs more secure. Meanwhile, be careful who has access to your Mac!
Remember KeychainStealer by @patrickwardle which can steal all your keychain passwords? While his vulnerability is patched now, I've found a new one, affecting macOS Mojave and lower. More information can be found in my video:https://t.co/wBQL2s6v7z#OhBehaveHack #OhBehaveApple — Linus Henze (@LinusHenze) February 3, 2019