Security researcher reveals macOS exploit to access Keychain passwords, refuses to share with Apple (plus: how to secure your Keychain)

“Security researcher Linuz Henze has shared a video demonstration of what is claimed to be a macOS Mojave exploit to access passwords stored in the Keychain,” Benjamin Mayo reports for 9to5Mac. “However, he has said he is not sharing his findings with Apple out of protest.”

“Henze has publicly shared legitimate iOS vulnerabilities in the past, so he has a track record of credibility,” Mayo reports. “However, Henze is frustrated that Apple’s bug bounty program only applies to iOS, not macOS, and has decided not to release more information about his latest Keychain invasion.”

“Via, the exploit can purportedly access all the items in the ‘login’ and ‘System’ keychain,” Mayo reports. “Henze encourages other hackers and security researchers to publicly release Mac security issues as he wants to put pressure on Apple to expand the bug bounty program to cover macOS in addition to iOS.”

Read more in the full article here.

MacDailyNews Take: Ay yi yi.

Loosen the purse strings, Apple. Extend your bug bounty program to include macOS (and all other operating systems not currently covered).

Until Apple identifies and fixes this exploit, protect the integrity of your Keychain by making sure you lock the login keychain with an extra password. In Keychain Access, make sure you know your keychain password, then highlight “login” and click the lock icon in the upper left of the window to lock the login keychain. Use your your keychain password to unlock it when needed. Fortunately, iCloud Keychain is not affected by this exploit.


  1. Actions speak louder than words Apple!

    You repeatedly state that you value the Mac, but you fail to extend the same protections as you do with iOS? Actions speak louder than words!

    1. Exactly! I mean, when I talk to myself, Alan Von Greentink, I have to agree with myself! I’d go all Ishonk von Stinka if I did anything legitimate like being a non-a-hole.

      But… I remain an a-hole. I am Alan Von Randy Zero Greenshonk. I am Legend. I am a will Smith wannabe that will SAVE THE WORLD with my azzholishness.

  2. “Until Apple identifies and fixes this exploit, protect the integrity of your Keychain by making sure you”
    DON’T DOWNLOAD AND EXECUTE and then approve GateKeeper access to QUESTIONABLE APPLICATIONS ON YOUR MAC. Why does he want a bounty on macOS… follow the money. The exploits on iOS are few and far between. As a result, he’s not making as much money on iOS anymore and it’s hurting his bottom line.

    Thing is, now that he’s shown it, someone WILL replicate it, provide it to Apple and will be mentioned as the person that shared the exploit with Apple. So what he will gain is… some publicity. I guess that’s what it’s really all about!

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.