“Security researcher Linuz Henze has shared a video demonstration of what is claimed to be a macOS Mojave exploit to access passwords stored in the Keychain,” Benjamin Mayo reports for 9to5Mac. “However, he has said he is not sharing his findings with Apple out of protest.”
“Henze has publicly shared legitimate iOS vulnerabilities in the past, so he has a track record of credibility,” Mayo reports. “However, Henze is frustrated that Apple’s bug bounty program only applies to iOS, not macOS, and has decided not to release more information about his latest Keychain invasion.”
“Via Heise.de, the exploit can purportedly access all the items in the ‘login’ and ‘System’ keychain,” Mayo reports. “Henze encourages other hackers and security researchers to publicly release Mac security issues as he wants to put pressure on Apple to expand the bug bounty program to cover macOS in addition to iOS.”
Read more in the full article here.
MacDailyNews Take: Ay yi yi.
Loosen the purse strings, Apple. Extend your bug bounty program to include macOS (and all other operating systems not currently covered).
Until Apple identifies and fixes this exploit, protect the integrity of your Keychain by making sure you lock the login keychain with an extra password. In Keychain Access, make sure you know your keychain password, then highlight “login” and click the lock icon in the upper left of the window to lock the login keychain. Use your your keychain password to unlock it when needed. Fortunately, iCloud Keychain is not affected by this exploit.