Researchers found a vulnerability on macOS: the user’s passwords can be stolen

This week, Linus Henze, Gernman security researcher, found a new zero-day vulnerability on macOS named “KeySteal”, which is to access all the sensitive data of the user with the related password.

It seems that Linus Henze used a malicious app to extract data from the app accessed with Mac’s keychain, without the administrator right or password. It can obtain passwords and other information of the app accessed with the keychain.

The funny thing is that Linus Henze didn’t reveal this to Apple. He said he won’t publish the vulnerability, because Apple hasn’t proposed any reward plan for vulnerabilities yet. He also clarified his position in a declaration he made to “Forbes”: “It takes time to discover such vulnerabilities. I think it’s the researchers should be paid for that, since we’re helping Apple improve their products.”

Apple has an incentive plan for iOS. People who discovered vulnerabilities will be rewarded. But Apple hasn’t had that for macOS yet. It’s learned that Apple’s security team has contacted Henze, but he still refused to provide any more details, unless there is an incentive plan. According to Linus Henze: “This is never my motive, even though it seems I did this just for money. My motive is to ask Apple create an incentive plan for vulnerabilities, which I think would be good for both Apple and researchers.”

In addition, KeySteal is not the first vulnerability related to keychain accessibility on macOS discovered by researchers. Patrick Wardle, security researcher, demonstrated a similar vulnerability in 2017, which should have been fixed now.