A German security researcher has published a video over the weekend showing a new zero-day affecting Apple's macOS desktop operating system.
In an interview to German tech site Heise, Linus Henze, the security researcher, says the vulnerability allows a malicious app running on a macOS system to get access to passwords stored inside the Keychain --the password management system built into all macOS distributions.
The exploit is highly efficient because the malicious app doesn't need admin access to retrieve passwords from the user's Keychain file, and can even retrieve the contents of other Keychain files, which store passwords for other macOS users.
Henze has not published any proof-of-concept code to support his finding, except for a YouTube video, but a well-respected Apple security researcher confirmed in a Forbes article today that the exploit exists and works as described in the German news site interview.
Henze didn't report the vulnerability to Apple before going public with his video. He cited the company's lack of a bug bounty program for macOS as the primary reason. Apple runs bug bounty programs for other products, but not for macOS.
Speaking to ZDNet, Henze said that Apple's security team had reached out yesterday after his research has started getting media attention.
The Apple security team asked for more details, but he declined unless they start a bug bounty for macOS as well, and reward security researchers for the bugs they find in macOS.
"Even if it looks like I'm doing this just for money, this is not my motivation at all in this case," Henze told ZDNet today. "My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers."
"I really love Apple products, and I want to make them more secure. And the best way to make them more secure would be, in my opinion, if Apple creates a bug bounty program (like other big companies already have)," the researcher told us.
- 5 ways to enforce company security (TechRepublic)
- Data breaches can sucker-punch you. Prepare to fight back (CNET)
An Apple spokesperson did not return a request for comment from ZDNet prior to this article's publication.
Henze's macOS zero-day --which he's referring to as KeySteal-- is somewhat similar to another macOS zero-day named KeychainStealer, discovered by Patrick Wardle in September 2017. Coincidentally, Wardle is the independent Apple security expert who confirmed Henze's zero-day for Forbes earlier today.
More security coverage:
- Google releases Chrome extension to check for leaked usernames and passwords
- Pentesters breach 92 percent of companies, report claims
- Scammer groups are exploiting Gmail 'dot accounts' for online fraud
- Apple apologizes for FaceTime eavesdropping bug, update coming next week
- EU orders recall of children's smartwatch over severe privacy concerns
- Apple disables Group FaceTime function
- Apple fixes its FaceTime bug. You'll get a software update soon CNET
- Apple's enterprise app war with Facebook, Google could aid Android TechRepublic