Obsessed with technology?
Subscribe to the latest tech news as well as exciting promotions from us and our partners!
By subscribing, you indicate that you have read & understood the SPH's Privacy Policy and PDPA Statement.
News
News Categories

A zero-day security flaw in macOS Mojave has been shared publicly by a German security researcher

By Wong Chung Wee - on 8 Feb 2019, 9:55am

A zero-day security flaw in macOS Mojave has been shared publicly by a German security researcher

A zero-day security flaw in macOS Mojave has been shared publicly by a German security researcher, Linus Henze. The vulnerability is named “KeySteal” and Henze claims to have developed a malicious application that is able to extract all passwords stored in Keychain, which is the built-in password manager for macOS.

Henze showcased his app’s capabilities on his YouTube channel; however, he has refused to share details of the security flaw as a sign of protest against Apple’s lack of a bounty bug reward program for macOS. He disclosed his malware works, without root or administrative privileges, to extract local keychains; however, the app is unable to access information stored in iCloud.

For the exploit to work, the malware needs to be downloaded to the macOS host first. A hacker could hide the malware in a legitimate application or it could be installed without the user’s knowledge from a rouge website. KeySteal was demonstrated by Henze on a MacBook Pro (2014) so there’s a chance that the malware may not be be able to get pass the newer Apple T2 security chip.

According to ZDNet, the Apple security team reached out to Henze but the German researcher reportedly declined to reveal more details until the company has a bug bounty program. This move will be beneficial to both Apple and security researchers.

(Source: Heise.de via MacRumors, Forbes via ZDNet)

Loading...