A researcher claims to have found a new Apple zero-day impacting macOS that could allow an attacker to extract passwords from a targeted Mac’s keychain password management system. However, the researcher refuses to disclose the alleged vulnerability citing Apple’s lack of macOS bug bounty program.
Keychain Access is the password management system app in macOS, which holds various encrypted passwords for services such as Facebook and Twitter.
The researcher behind the attack, Linus Henze, said that the vulnerability exists in the application’s access control and enables him to extract local keychain passwords without root or administrator privileges, and without password prompts.
Remember KeychainStealer by @patrickwardle which can steal all your keychain passwords?While his vulnerability is patched now, I've found a new one, affecting macOS Mojave and lower.
— Linus Henze (@LinusHenze) February 3, 2019
Henze, however said that he would not release more information about the proof-of-concept attack, which he dubbed “KeySteal,” because Apple’s bug bounty program is for iOS and does not reward vulnerability findings for macOS.
According to a report by Forbes, Henze is a German 18-year-old who has discovered previous macOS and iOS bugs.
“You might remember KeychainStealer… released 2017 for macOS High Sierra, which can also steal all your keychain passwords,” Henze said in a YouTube blurb. “While the vulnerability he used is already patched, the one I found still works, even in macOS Mojave. I won’t release this. The reason is simple: Apple still has no bug bounty program (for macOS), so blame them.”
A video below outlines the proof-of-concept in the works stealing passwords.
Apple did not respond to a request for comment from Threatpost.
In 2017, researcher Patrick Wardle discovered a similar critical vulnerability in macOS that allows an attacker to dump passwords in plaintext from the macOS Keychain. The vulnerability existed in macOS High Sierra, Sierra and El Capitan.
On Wednesday Wardle tweeted, “Got to play with
@LinusHenze‘s ‘KeySteal’. It’s a lovely bug & exploit.”
Got to play with @LinusHenze's 'KeySteal'. It's a lovely bug & exploit 😍😍
✅ works on macOS 10.14.3
✅ his payload dumps passwords, private keys, & tokens
Protect yourself by:🔐manually locking your keychain
🔐or setting a keychain-specific passwordhttps://t.co/K1hhjraH60
— patrick wardle (@patrickwardle) February 6, 2019
Henze is not the first researcher to come forth criticizing Apple’s security culture – Google bug hunter Ian Beer has ripped into Apple at Black Hat 2018, saying that the iPhone maker patches iOS bugs, but does not fixing the systemic roots that contribute to the vulnerability.
Henze said he plans top release more videos showing vulnerabilities in the future, specifically found in Apple products.
“Maybe this forces Apple to open a bug bounty program at some time,” he said.