New macOS zero-day allows theft of user passwords

February 06, 2019

A German security researcher has published a video over the weekend showing a new zero-day affecting Apple’s macOS desktop operating system.

In an interview to German tech site Heise, Linus Henze, the security researcher, says the vulnerability allows a malicious app running on a macOS system to get access to passwords stored inside the Keychain –the password management system built into all macOS distributions.

The exploit is highly efficient because the malicious app doesn’t need admin access to retrieve passwords from the user’s Keychain file, and can even retrieve the contents of other Keychain files, which store passwords for other macOS users.

Henze has not published any proof-of-concept code to support his finding, except for a YouTube video, but a well-respected Apple security researcher confirmed in a Forbes article today that the exploit exists and works as described in the German news site interview.

Henze didn’t report the vulnerability to Apple before going public with his video. He cited the company’s lack of a bug bounty program for macOS as the primary reason. Apple runs bug bounty programs for other products, but not for macOS.

Speaking to ZDNet, Henze said that Apple’s security team had reached out yesterday after his research has started getting media attention.

The Apple security team asked for more details, but he declined unless they start a bug bounty for macOS as well, and reward security researchers for the bugs they find in macOS.

“Even if it looks like I’m doing this just for money, this is not my motivation at all in this case,” Henze told ZDNet today. “My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers.”

“I really love Apple products, and I want to make them more secure. And the best way to make them more secure would be, in my opinion, if Apple creates a bug bounty program (like other big companies already have),” the researcher told us.

An Apple spokesperson did not return a request for comment from ZDNet prior to this article’s publication.

Henze’s macOS zero-day –which he’s referring to as KeySteal– is somewhat similar to another macOS zero-day named KeychainStealer, discovered by Patrick Wardle in September 2017. Coincidentally, Wardle is the independent Apple security expert who confirmed Henze’s zero-day for Forbes earlier today.