Researcher provides Apple with details (and fix) for Keychain flaw

By

macOS Keychain
Apple still won't cough up a reward.
Photo: Killian Bell/Cult of Mac

A security researcher has decided to provide Apple with details — and a patch — for a serious Keychain flaw in macOS Mojave that allows anyone to access your saved usernames and passwords.

Linus Henze previously withheld the information in protest of Apple’s decision not to offer a macOS bug bounty program. He now believes the problem is too serious for the company to ignore.

Henze detailed the vulnerability, and a program he built to exploit it, last month. His KeySteal tool allowed Keychain usernames and passwords to be obtained without administrator access under the latest version of macOS.

Henze decided not to share the details with Apple at the time, but he has since had a change of heart.

Apple learns details of Keychain flaw

“I’ve decided to submit my Keychain exploit to Apple, even though they did not react, as it is very critical and because the security of macOS users is important to me,” Henze tweeted. “I’ve sent them the full details.”

Amazingly, Henze also sent Apple a fix for the problem, “for free of course.”

Apple won’t cough up for macOS bugs

If this was a flaw in iOS, Henze would have received a reward for his discovery as part of Apple’s bug bounty program. But because the problem is in macOS, for which there is no bounty program, Henze will get nothing.

Henze had been encouraging other researchers to publicly disclose problems they discovered in macOS, and to withhold the details from Apple, in an effort to pressure the company into offering macOS bug bounties. But the plan didn’t pay off.

Apple did contact Henze to ask about his discovery, but did not respond to his demands for a bounty program. Henze has now given in to ensure that the problem is fixed and that macOS users are safe.

How to prevent the KeySteal exploit

It’s not yet clear if Apple will use Henze’s fix, or when the problem will be rectified in Mojave. There have been no reports of bad actors using similar exploits in the wild, but users can ensure they are safe by locking Keychain with an additional password.