The security expert Linus Henze has disclosed the existence of a zero-day vulnerability in macOS Mojave that can be exploited by malware to steal plaintext passwords from the Keychain. According to Henze, the flaw affects macOS Mojave and earlier versions.
The researcher did not report the vulnerability to Apple, it publicly disclosed the existence of the flaw without making public its details.
Henze has published a video PoC for the flaw that shows how to use malware to extract passwords from the local Keychain password management system. The attack works on a system running the latest macOS Mojave OS version (10.14.3)
The attack is sneaky because it doesn’t require admin privileges for both the malicious app and the user account. The expert pointed out that the malicious code could exploit the flaw to steal passwords only from that user’s Keychain because other Keychains are locked.
Why Henze did not report the flaw to Apple?
Simple, the expert explained that did not share his discovery with the tech giant because the company doesn’t operate a bug bounty program for
Currently, Apple’s bug bounty program only covers hardware, iOS and
The popular MacOS expert and former NSA white hat hacker Patrick Wardle also confirmed the that the exploit
(SecurityAffairs – MacOS Mojave, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.