Researcher gives Apple details of macOS Keychain security flaw despite lack of macOS bug bounties

“A German teenager who discovered a macOS Keychain security flaw last month has now shared the details with Apple, after having initially refused to hand them over because of the company’s lack of a bug bounty program for the Mac,” Tim Hardwick reports for MacRumors.

“Eighteen-year-old Linus Henze dubbed the zero-day macOS vulnerability he found ‘KeySteal,’ which, as demoed in the video above, can be used to disclose all sensitive data stored in the Keychain app,” Hardwick reports. “Henze said he decided to reveal the details to Apple because the bug ‘is very critical and because the security of macOS users is important to me.'”

Hardwick reports, “‘Even if it looks like I’m doing this just for money, this is not my motivation at all in this case,’ said Henze. ‘My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers.'”

Read more in the full article here.

MacDailyNews Take: Kudos to Henze for doing the right thing. Many users rely heavily on Keychain and require it to be secure. Now, do the right thing in return and reward him, Apple!

Loosen the purse strings, Apple. Extend your bug bounty program to include macOS (and all other operating systems not currently covered).

Until Apple identifies and fixes this exploit, protect the integrity of your Keychain by making sure you lock the login keychain with an extra password. In Keychain Access, make sure you know your keychain password, then highlight “login” and click the lock icon in the upper left of the window to lock the login keychain. Use your your keychain password to unlock it when needed. Fortunately, iCloud Keychain is not affected by this exploit.MacDailyNews, February 6, 2019

SEE ALSO:
Security researcher reveals macOS exploit to access Keychain passwords, refuses to share with Apple (plus: how to secure your Keychain) – February 6, 2019

2 Comments

  1. Apple’s insipid beancounters are causing enormous damage to the Apple brand, and customer loyalty.

    More and more long-time Apple fans are sticking with Apple because they feel they have to, not because they want to.

  2. “Even if it looks like I’m doing this just for money, this is not my motivation at all in this case,’ said Henze. ‘My motivation is to get Apple to create a bug bounty program.”

    I’m not doing it for the money I’m doing it because I want them to CREATE a way for me to make money. You see? Two completely different things.

    Maybe if every security exploit didn’t begin with “If someone gets physical access to your computer…”. If someone that you don’t want to have access has access to your computer, you have FAR more serious problems than ‘who’s on your computer’.

    And if you run everything that gets pushed to you from a website OR that shows up in your email, there’s not a bug bounty in the WORLD that will prevent you from being hacked.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.