“Security researcher Linuz Henze has shared a video demonstration of what is claimed to be a macOS Mojave exploit to access passwords stored in the Keychain,” Benjamin Mayo reports for 9to5Mac. “However, he has said he is not sharing his findings with Apple out of protest.”
“Henze has publicly shared legitimate iOS vulnerabilities in the past, so he has a track record of credibility,” Mayo reports. “However, Henze is frustrated that Apple’s bug bounty program only applies to iOS, not macOS, and has decided not to release more information about his latest Keychain invasion.”
“Via Heise.de, the exploit can purportedly access all the items in the ‘login’ and ‘System’ keychain,” Mayo reports. “Henze encourages other hackers and security researchers to publicly release Mac security issues as he wants to put pressure on Apple to expand the bug bounty program to cover macOS in addition to iOS.”
Read more in the full article here.
MacDailyNews Take: Ay yi yi.
Loosen the purse strings, Apple. Extend your bug bounty program to include macOS (and all other operating systems not currently covered).
Until Apple identifies and fixes this exploit, protect the integrity of your Keychain by making sure you lock the login keychain with an extra password. In Keychain Access, make sure you know your keychain password, then highlight “login” and click the lock icon in the upper left of the window to lock the login keychain. Use your your keychain password to unlock it when needed. Fortunately, iCloud Keychain is not affected by this exploit.
It’s not like Apple can’t afford to pay him. Tightwads.
I concur.
The term I was thinking about was “cheap MoFo”.
Wanting to be the security and privacy vanguard and to not pay for it in this way = cake and eat it too definition.
Actions speak louder than words Apple!
You repeatedly state that you value the Mac, but you fail to extend the same protections as you do with iOS? Actions speak louder than words!
Good on the researcher for putting pressure on Apple. The gorram penny-pinching beancounters who’ve taken over the company need to be beat over the head.
Official Tim Cook Response:
If you want security, iOS is our office secure platform. Please switch to an iPAD!
Example # 45,437 on how Tim Cook doesnt give a flying fuck about the Mac.
Exactly! I mean, when I talk to myself, Alan Von Greentink, I have to agree with myself! I’d go all Ishonk von Stinka if I did anything legitimate like being a non-a-hole.
But… I remain an a-hole. I am Alan Von Randy Zero Greenshonk. I am Legend. I am a will Smith wannabe that will SAVE THE WORLD with my azzholishness.
OMG! How did we ever have security before bounty programs were created?!?!
With good QA and good software security experts auditing the code.
Clearly they failed here.
“Until Apple identifies and fixes this exploit, protect the integrity of your Keychain by making sure you”
DON’T DOWNLOAD AND EXECUTE and then approve GateKeeper access to QUESTIONABLE APPLICATIONS ON YOUR MAC. Why does he want a bounty on macOS… follow the money. The exploits on iOS are few and far between. As a result, he’s not making as much money on iOS anymore and it’s hurting his bottom line.
Thing is, now that he’s shown it, someone WILL replicate it, provide it to Apple and will be mentioned as the person that shared the exploit with Apple. So what he will gain is… some publicity. I guess that’s what it’s really all about!