Thomas Brewster, Forbes:
Just last week it emerged that a 14-year-old uncovered a bug
that allowed snooping on iPhone and Mac users thanks to a
problem in FaceTime. Now German 18-year-old Linus Henze has
uncovered a vulnerability affecting the latest Apple macOS that
leaves stored passwords open to malicious apps. That could
include logins for your bank website, Amazon, Netflix, Slack and
many more apps. And even though this is a Mac-only bug, if
you’re using the iCloud keychain, passwords synced across
iPhones and Macs may also be in danger.
To make matters worse, it’s likely that no fix is in the works.
Henze isn’t disclosing his findings to Apple, telling Forbes the
lack of payment for such research was behind his decision to keep
the hack’s details secret from the Cupertino giant.
Henze hasn’t released code (thankfully), only a video purporting to show his exploit in action. I’d be skeptical except that Patrick Wardle has tested the exploit and vouches for it, telling Sergiu Gatlan at the website Bleeping Computer:
Yes, I was able to test it on a fully patched system and it
worked lovely… It’s a really nice bug inspiringly so… If I’m a
hacker or piece of malware this would be the first thing I do
once I gain access to the system… Dump various keychains to
extract passwords private keys signing certificates and sensitive
tokens. It’s unfortunate that there is yet another bug in the
keychain access… One would hope something like a keychain which
is supposed to be secure would, in fact, be secure but
unfortunately, that’s not the case.
This looks like a really bad vulnerability — especially so since Henze isn’t sharing details with Apple.
Why in the world Apple only offers security bounties for iOS is beyond my comprehension. Of course iOS has the most users, but the potential for truly critical bugs exists on all of Apple’s platforms.
★ Thursday, 7 February 2019