A zero-day security flaw in macOS Mojave has been shared publicly by a German security researcher
A zero-day security flaw in macOS Mojave has been shared publicly by a German security researcher, Linus Henze. The vulnerability is called “KeySteal” and Henze claims to have developed a malicious software that is ready to extract all passwords saved in Keychain, which is the built-in password supervisor for macOS.
Henze showcased his app’s capabilities on his YouTube channel; nevertheless, he has refused to share particulars of the security flaw as a signal of protest towards Apple’s lack of a bounty bug reward program for macOS. He disclosed his malware works, with out root or administrative privileges, to extract native keychains; nevertheless, the app is unable to entry info saved in iCloud.
For the exploit to work, the malware must be downloaded to the macOS host first. A hacker may cover the malware in a reputable software or it might be put in with out the person’s data from a rouge web site. KeySteal was demonstrated by Henze on a MacBook Pro (2014) so there’s a likelihood that the malware is probably not be capable to get move the newer Apple T2 security chip.
According to ZDNet, the Apple security workforce reached out to Henze however the German researcher reportedly declined to disclose extra particulars till the corporate has a bug bounty program. This transfer will likely be helpful to each Apple and security researchers.
(Source: Heise.de through MacRumors, Forbes through ZDNet)