Security researcher Linuz Henze has shared a video demonstration of what is claimed to be a macOS Mojave exploit to access passwords stored in the Keychain. However, he has said he is not sharing his findings with Apple out of protest.
Try Amazon Prime 30-Day Free Trial
Henze has publicly shared legitimate iOS vulnerabilities in the past, so he has a track record of credibility.
However, Henze is frustrated that Apple’s bug bounty program only applies to iOS, not macOS, and has decided not to release more information about his latest Keychain invasion.
Here’s the demo video of ‘KeySteal’.
The KeySteal demo app does not require administrator privileges to execute the attack. It also does not matter if Access Control Lists are set up. The exploit is also claimed to succeed on machines with System Integrity Protection enabled.
Via Heise.de, the exploit can purportedly access all the items in the “login” and “System” keychain. The iCloud Keychain is not susceptible as that stores data in a different way.
Users can proactively defend themselves by locking the login keychain with an additional password, but this is not the default configuration and is not convenient to enable as it results in endless security authentication dialogs when using macOS.
It’s not clear if Apple is aware of the problem at this time.
Henze encourages other hackers and security researchers to publicly release Mac security issues as he wants to put pressure on Apple to expand the bug bounty program to cover macOS in addition to iOS.