Security researcher Linus Henzedemoed a zero-day macOS exploit impacting the Keychain password management system which can store passwords for applications, servers, and websites, as well as sensitive information related to banking accounts.
All the data stored in the macOS Keychain app is encrypted by default, blocking other users or third-party apps from gaining access to it without proper permissions.
The vulnerability found by Henze in Apple’s macOS operating system last week is present “in the keychain’s access control” and it could allow a potential attacker to steal Keychain passwords from any local user account on the Mac, without the need of admin privileges nor the keychain master password.
According to the researcher, the zero-day he found works “as long as the keychain is unlocked (which it usually is as long as you’re logged in), except for the System keychain – containing WiFi passwords etc. – which may be locked.”
Additionally, the exploit impacts all macOS version up to the latest one, 10.14.3 Mojave, and will extract the passwords without displaying any user prompts while doing it.
Henze also built a Proof-of-Concept application named KeySteal to demonstrate how his zero-day exploit works, which you can see demoed in the video below.
When asked by Bleeping Computer if Apple tried to get in touch, the security researcher said that “Apple’s Product Security Team contacted me, however they just asked me if I would send them the full details. I told them I won’t do so until they change something. However, I’m still waiting for a response.”
Henze also stated that “the main problem is that Apple currently doesn’t have a program for macOS vulnerabilities, not even an invite-only”