A researcher has disclosed the existence of a zero-day vulnerability in macOS Mojave that can be exploited by malware to steal plaintext passwords from the operating system’s Keychain. The flaw has not been reported to Apple, but its details have not been made public.
Germany-based Linus Henze has published a video showing how a malicious application installed on a system running the latest release of Apple’s macOS Mojave operating system (10.14.3) can extract passwords from the local Keychain password management system.
According to Henze, the malicious app and the user account on which it is running don’t require admin privileges for the attack to work. However, passwords can only be obtained from that user’s Keychain – other Keychains are likely inaccessible due to the fact that they are typically locked and the attack only works against unlocked Keychains.
The researcher says he has not reported his findings to Apple due to the lack of a bug bounty program for macOS. Apple does have a bug bounty program, with rewards of up to $200,000, but it only covers hardware, iCloud and iOS hacks.
Henze says he has been contacted by Apple’s product security team after publishing the video, but he claims he will not share full details of the attack with the tech giant without a bounty.
While the details of the vulnerability have not been made public to prevent abuse, researcher Patrick Wardle, who in 2017 discovered a similar vulnerability in macOS High Sierra, has confirmed for Forbes that the vulnerability found by Henze exists and the exploit works.
Henze claims the vulnerability impacts macOS Mojave and earlier versions. A video published by the researcher shows his proof-of-concept (PoC) tool in action:
Related: Vulnerability Allowed Hackers to Steal iCloud Keychain Secrets
Related: macOS Mojave Patches Vulnerabilities, But New Flaws Already Emerge
Related: macOS High Sierra Leaks APFS Volume Passwords via Hint
Related: Apple Boosts Security in iOS 12, macOS Mojave
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Tags: 
