A recently discovered MacOS exploit allows someone to steal usernames and passwords directly from the Keychain app with out requiring an Administrator account.
The exploit was discovered by Linuz Henze, a German cybersecurity researcher. Details regarding how the exploit works exactly are slim, but Henze demonstrates how easy it is to access Keychain’s stored content in the video below:
Henze uses a program called KeySteal to lift the sensitive information, and he does it quite easily. KeySteal appears to be a unique program developed by Henze and not available in the wild (which is a good thing).
The software can access Keychain without requiring an an admin password or requiring permissions. The exploit could be potentially dangerious if downloaded without the end user knowing. If installed on a machine, once the user logs in the exploit could potentially launch in the background and would have free access to all of Keychain’s stored information.
According to Henze the exploit completely bypasses all of Apple’s current security measures (such as their T2 security chip).
The exploit was first publicized in February and Henze has been acting in a sort of… mercenary fashion. At first refused to share his findings with Apple because the company doesn’t currently offer any sort of bug bounty program to security researchers who discover flaws in the OS.
Thankfully the ice has thawed and the two are working things out and hopefully the issue gets resolved in an upcoming software update. Until then the only way to protect your system is to manually add an extra password to Keychain that’s different from your default system password.
That’s all the information we’ve got regarding the issue currently but we’ll keep you updated if things change. The easies way to follow along is to subscribe to our blog using the form located at the top of the page.