Expert publicly disclosed the existence of 0day flaw in macOS Mojave

Pierluigi Paganini February 07, 2019

A zero-day vulnerability in macOS Mojave can be exploited by malware to steal plaintext passwords from the Keychain.

The security expert Linus Henze has disclosed the existence of a zero-day vulnerability in macOS Mojave that can be exploited by malware to steal plaintext passwords from the Keychain. According to Henze, the flaw affects macOS Mojave and earlier versions.

The researcher did not report the vulnerability to Apple, it publicly disclosed the existence of the flaw without making public its details.

Henze has published a video PoC for the flaw that shows how to use malware to extract passwords from the local Keychain password management system. The attack works on a system running the latest macOS Mojave OS version (10.14.3)

The attack is sneaky because it doesn’t require admin privileges for both the malicious app and the user account. The expert pointed out that the malicious code could exploit the flaw to steal passwords only from that user’s Keychain because other Keychains are locked.

macOS Mojave

Why Henze did not report the flaw to Apple?

Simple, the expert explained that did not share his discovery with the tech giant because the company doesn’t operate a bug bounty program for macOS. Apple contacted the experts after the publication of the video asking for more details about the issue, but Henze refused to provide them without a bounty.

Currently, Apple’s bug bounty program only covers hardware, iOS and
iCloud.

The popular MacOS expert and former NSA white hat hacker Patrick Wardle also confirmed the that the exploit wotks.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – MacOS Mojave, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]



you might also like

leave a comment