- A critical zero-day flaw was discovered in the Keychain application in macOS.
- The flaw allows attackers to read all passwords stored in plain text.
- The flaw affects all versions macOS including 10.14.3 Mojave
Security researchers have discovered a critical zero-day vulnerability in the Keychain password management system of macOS.
The zero-day vulnerability allows attackers to read all the stored data in keychain including passwords stored in plain text.
Keychain is an application in mac which stores passwords and account details of applications, websites and email accounts.
The flaw was discovered by security researcher Linus Henze and said that the flaw could be exploited by attackers using any local account user without the need admin privileges and keychain master password.
According to the researcher, the attackers can gain access to passwords stored in keychain by tricking users to install a malicious app in their system. The exploit does not require admin privileges and can even retrieve content from other keychain files of other mac users.
The vulnerability impact all versions of macOS including the latest version 10.14.3 Mojave.
The researcher also published a video demonstrating how the exploit works which can be seen below:
Henze refused to shared the details of the vulnerability to Apple before releasing the video stating the reason as lack of a bug bounty program for MacOS.
“I won’t release this. The reason is simple: Apple still has no bug bounty program (for macOS), so blame them.”
“Please note that even if it looks like I’m doing this just for the money, this is not my motivation at all in this case. My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers.” said the researcher to ZDNET.
You may be interested in reading:Blur Data Breach Potentially Exposed Data of 2.4 Million Users