A new MacOS zero-day vulnerability found in Keychain password management system
- The vulnerability could allow a malicious application running on a MacOS system to gain access to passwords stored in the Keychain password management system.
- The security researcher who uncovered the vulnerability declined to share Apple with more details on the vulnerability unless Apple starts a bug bounty for MacOS.
A German security researcher published a video describing the new zero-day vulnerability that impacts Apple’s MacOS. The researcher Linus Henze noted that the vulnerability could allow a malicious application running on a MacOS system to gain access to passwords stored in the Keychain password management system.
Henze explained that the vulnerability is present in the Keychain password management system’s access control and could allow the malicious app to retrieve passwords from the user’s Keychain file without the need of admin privileges nor the keychain master password.
Henze disclosed that this vulnerability impacts all MacOS versions up to latest 10.14.3 Mojave and stated that Apple’s lack of a bug bounty program for MacOS is the primary reason for the exploit. It is to be noted that Apple runs bug bounty programs for all its products except MacOS.
Won't share vulnerability details with Apple
The security researcher Henze told ZDNet that Apple reached out to him for more details on the vulnerability but he declined to share unless Apple starts a bug bounty program for MacOS and reward security researchers for the bugs they find in MacOS.
“Even if it looks like I'm doing this just for money, this is not my motivation at all in this case. My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers,” Henze told ZDNet.
“I really love Apple products, and I want to make them more secure. And the best way to make them more secure would be, in my opinion, if Apple creates a bug bounty program (like other big companies already have),” Henze added.
Exploit tested by Patrik Wardle
Henze sent a tweet to Patrick Wardle, a former NSA hacker, who was also exploring a similar vulnerability called KeychainStealer last year. “Remember KeychainStealer by @patrickwardle which can steal all your keychain passwords? While his vulnerability is patched now, I've found a new one, affecting macOS Mojave and lower,” the tweet read.
Wardle tested this vulnerability and stated that the bug is very inspiring. “Yes, I was able to test it on a fully patched system and it worked lovely…It’s a really nice bug inspiringly so...If I’m a hacker or piece of malware this would be the first thing I do once I gain access to the system…Dump various keychains to extract passwords private keys, signing certificates, and sensitive tokens. It’s unfortunate that there is yet another bug in the keychain access…One would hope something like a keychain which is supposed to be secure would, in fact, be secure but unfortunately, that’s not the case,” Wardle told BleepingComputer.