CATEGORIES
home News

Researcher Discovers macOS Keychain Exploit But Won't Share Data With Apple

by Brandon HillWednesday, February 06, 2019, 03:30 PM EDT
macos desktop
Linuz Henze, a well-known security researcher, has found a particularly troublesome bug in Apple's macOS. The exploit involves the operating system's Keychain, which stores passwords, private keys, and other user credentials. 

Henze has demonstrated a working app that could be maliciously used to pilfer your Mac's Keychain, robbing you of stored passwords that are used to access everything from your Hulu account to your bank's website to your health insurance information. What's even more devastating is the fact that the exploit doesn't even require administrator privileges -- or any special privileges for that matter -- to take advantage of the Keychain.

According to Henze, the exploit could be piggybacked onto a legitimate app or a user could be directed to a malicious website to deliver the payload. “Running a simple app is all that’s required,” said Henze in a statement to Forbes.

The exploit is only applicable to macOS (even the latest version, macOS Mojave) and doesn't directly affect the iCloud Keychain that is used with iOS devices. However, if you sync your iOS Keychain data between your iPhone/iPad and your Mac, all of your devices are potentially vulnerable.

keychain

All of this might not be a big deal if Henze would simply disclose the exploit to Apple – which could likely push out a quick fix -- but he is refusing to do so. In fact, Henze says that he is taking a stand against Apple for only offering a Bug Bounty for iOS. The company doesn't offer a similar program for macOS, so in Henze's mind, why should he disclose such a critical bug if he isn't going to get paid for it?

That's a rather opportunistic way of looking at things, but it is rather curious that Apple doesn't offer a Bug Bounty for macOS. This is especially problematic considering how intertwined macOS and iOS become when users are deeply entrenched into the Apple ecosystem with iPhones, iPads, MacBooks and other Apple hardware that share credentials across a single user account.

Tags:  Apple, (NASDAQ:AAPL), macos, keychain, macos-mojave
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment