“A German teenager who discovered a macOS Keychain security flaw last month has now shared the details with Apple, after having initially refused to hand them over because of the company’s lack of a bug bounty program for the Mac,” Tim Hardwick reports for MacRumors.
“Eighteen-year-old Linus Henze dubbed the zero-day macOS vulnerability he found ‘KeySteal,’ which, as demoed in the video above, can be used to disclose all sensitive data stored in the Keychain app,” Hardwick reports. “Henze said he decided to reveal the details to Apple because the bug ‘is very critical and because the security of macOS users is important to me.'”
I’ve decided to submit my keychain exploit to @Apple, even though they did not react, as it is very critical and because the security of macOS users is important to me. I’ve sent them the full details including a patch. For free of course.
— Linus Henze (@LinusHenze) February 28, 2019
Hardwick reports, “‘Even if it looks like I’m doing this just for money, this is not my motivation at all in this case,’ said Henze. ‘My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers.'”
Read more in the full article here.
MacDailyNews Take: Kudos to Henze for doing the right thing. Many users rely heavily on Keychain and require it to be secure. Now, do the right thing in return and reward him, Apple!
Loosen the purse strings, Apple. Extend your bug bounty program to include macOS (and all other operating systems not currently covered).
Until Apple identifies and fixes this exploit, protect the integrity of your Keychain by making sure you lock the login keychain with an extra password. In Keychain Access, make sure you know your keychain password, then highlight “login” and click the lock icon in the upper left of the window to lock the login keychain. Use your your keychain password to unlock it when needed. Fortunately, iCloud Keychain is not affected by this exploit. — MacDailyNews, February 6, 2019