A security researcher has discovered a vulnerability in the macOS Keychain that could allow an attacker to steal users’ passwords.
Linuz Henze recently published a video demonstrating the exploit on macOS Mojave. In the clip, Henze shows off a proof-of-concept app called KeySteal that can swipe passwords from both a Mac’s “login” and “system” keychains.
Worryingly, the KeySteal application can access and view a Mac’s keychains without needing to input a user profile’s password. It is also able to bypass Apple security measures — including those baked into the T2 chips in newer Mac platforms.
KeySteal needs to be launched when a user is logged in. But it could pose a serious threat if it is inadvertently downloaded by a user — or if it covertly makes its way onto a machine.
If there’s a bright side to KeySteal, it’s the fact that the exploit can’t be used to access passwords stored in iCloud Keychain. But it’s still a significant vulnerability for Mac users.
Is Apple Going to Fix It?
Normally, at this point, we’d say that Apple has been alerted to the details of the vulnerability and is working on a fix. But that may not be the case in this scenario.
That’s because Henze has not shared the details of the exploit with Apple. Why? The security researcher is protesting Apple’s Mac bug bounty policies (via Heise.de).
Apple rewards independent security researchers (and others) with monetary bounties for finding exploits and vulnerabilities for its iOS platform. But there’s no such program for macOS.
That means that independent security researchers who discover flaws within the macOS platform aren’t rewarded for their time and effort. Henze, for his part, thinks this is unfair.
On the flip side, it isn’t clear how KeySteal works on a technical level. Henze didn’t publicly disclose the exploit itself — presumably to prevent widespread use of the vulnerability.
Henze, a self-professed iOS and macOS fan, has a past track record of spotting legitimate vulnerabilities. So it’s likely that KeySteal is actually a threat, and not just a ploy to get Apple to change its bug bounty policies.
The security researcher is also calling on other hackers to publicly reveal other Mac security flaws — but withhold their inner workings from Apple. The ultimate goal, it seems, is to put pressure on the Cupertino tech giant to expand its bug bounty program to macOS.
Whether Henze will achieve that goal remains to be seen. In the meantime, macOS users should take proactive steps to protect themselves from KeySteal — especially since it may be some time before Apple manages to patch it.
How to Protect Yourself
At this point, it seems like the only way to mitigate the KeySteal vulnerability is to lock the Mac Keychain with an additional password, which isn’t exactly practical.
If you right-click on a keychain, you can manually lock it with an additional password. Get Info > Access Control > Ask for Keychain Password.
This will result in a popup password prompt every time a system needs to access certain keychain data, but it’s still a reliable way to protect that data against KeySteal for the time being.