A new flaw discovered in macOS Mojave puts your sensitive Keychain data at risk.
One security researcher has demonstrated an exploit that could allow anyone to access saved usernames and passwords without administrator access. He won’t share the details with Apple, however, because there is no reward on offer.
Through its bug bounty program, Apple coughs up rewards when people discover serious iOS vulnerabilities. But the same mechanism does not extend to macOS. That’s why researcher Linuz Henze won’t reveal the details of a newly discovered flaw in Mojave.
However, Henze — who earned a good track record by identifying iOS problems — seems happy to show the world exactly what the vulnerability allows. And it’s not good.
KeySteal exploit steals Mac Keychain passwords
Using a program Henze calls KeySteal, he successfully captured usernames and passwords saved to the macOS Keychain without administrator access.
It makes no difference if access control lists are in place on the machine. The Mac’s System Integrity Protection can’t prevent it, either.
Here’s a short video of KeySteal in action:
Henze says the exploit can be used to access all items in the “login” and “System” Keychains. However, it cannot access data in the iCloud Keychain, which stores information differently.
Security researcher wants to put pressure on Apple
Henze won’t disclose his findings to Apple because of his frustration with the lack of a bug bounty program for macOS. He’s encouraging other researchers to publicly release security issues, too, so that they can put pressure on Apple to make a change.
It’s not clear if Apple is aware of this particular issue in Mojave — but there is something users can do to protect themselves.
How to prevent the KeySteal exploit
You can block exploits like KeySteal by locking the login keychain with an additional password. You must do this manually because it is not protected by default in macOS. The fix is not ideal because it means endless password prompts when using your Mac.
It is the only fix for this macOS vulnerability for now, though. So if you’re worried about the problem, it’s your only choice.