A researcher has disclosed the existence of a zero-day vulnerability in macOS Mojave that can be exploited by malware to steal plaintext passwords from the operating system’s Keychain. The flaw has not been reported to Apple, but its details have not been made public.
Germany-based Linus Henze has published a video showing how a malicious application installed on a system running the latest release of Apple’s macOS Mojave operating system (10.14.3) can extract passwords from the local Keychain password management system.
According to Henze, the malicious app and the user account on which it is running don’t require admin privileges for the attack to work. However, passwords can only be obtained from that user’s Keychain – other Keychains are likely inaccessible due to the fact that they are typically locked and the attack only works against unlocked Keychains.
The researcher says he has not reported his findings to Apple due to the lack of a bug bounty program for macOS. Apple does have a bug bounty program, with rewards of up to $200,000, but it only covers hardware, iCloud and iOS hacks.
Henze says he has been contacted by Apple’s product security team after publishing the video, but he claims he will not share full details of the attack with the tech giant without a bounty.
While the details of the vulnerability have not been made public to prevent abuse, researcher Patrick Wardle, who in 2017 discovered a similar vulnerability in macOS High Sierra, has confirmed for Forbes that the vulnerability found by Henze exists and the exploit works.
Henze claims the vulnerability impacts macOS Mojave and earlier versions. A video published by the researcher shows his proof-of-concept (PoC) tool in action:
Related: Vulnerability Allowed Hackers to Steal iCloud Keychain Secrets
Related: macOS Mojave Patches Vulnerabilities, But New Flaws Already Emerge
Related: macOS High Sierra Leaks APFS Volume Passwords via Hint
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks
- 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
- Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
Latest News
- Anti-Bot Software Firm DataDome Banks $42M Financing
- Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks
- 500k Impacted by Data Breach at Debt Buyer NCB
- Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks
- Why Endpoint Resilience Matters
- Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
- 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
- UK Introduces Mass Surveillance With Online Safety Bill
