Security researcher Linus Henze recently uncovered a vulnerability within MacOS Mojave that allows an unauthorized application to steal passwords from both your Mac’s ‘login’ and ‘system’ Keychains. As macOS’ password management system, Keychain has been implemented since Mac OS 8.6, keeping user’s most important data safe and secure; however, as of late it doesn’t seem to be doing the job. A similar exploit was discovered and patched in 2017, but now Henze’s discovery, which he names KeySteal, is currently still within MacOS and available for hacker exploit.
KeySteal can access and view a system’s Keychains without requiring any permission from the user. Such action is typically protected by an administrator password needing to be entered before an application is granted access to a single part of the Keychain. The exploit itself needs to be launched when a user is logged in and could be extremely dangerous if unsuspectingly downloaded. The exploit completely bypasses security measures from Apple such as the company’s T2 security chip, and thus are entirely ineffective.
Henze’s KeySteal exploit has not been clearly explained from a technical level; he keeps the knowledge away from the public to prevent causing widespread security issues, but he has also held it from Apple. One point that has been routinely cited by MacOS security researchers is that Apple doesn’t offer a bounty for exploits as it does with its iOS platform. Thus, security researchers who spend their time discovering exploits are not rewarded for their work. It is common practice to pay security researchers for finding bugs and other exploits, putting Apple’s stance with MacOS in a unique position.
As of this moment, Apple has not commented on the exploit, nor has it issued a patch securing the vulnerability. Thus, users concerned about the KeySteal exploit should continue to follow safe security practices when downloading content from the web — not acquiring content from unknown sources and not running any applications that are unfamiliar. The previous exploit took Apple about two weeks to patch, but the researcher, Patrick Wardle, provided the company with detailed information, thus it is called into question how long it will take Apple to discover the current issue before offering the update.