By John Gruber
WorkOS: APIs to ship SSO, SCIM, FGA, and User Management in minutes. Check out their launch week.
Thomas Brewster, Forbes:
Just last week it emerged that a 14-year-old uncovered a bug that allowed snooping on iPhone and Mac users thanks to a problem in FaceTime. Now German 18-year-old Linus Henze has uncovered a vulnerability affecting the latest Apple macOS that leaves stored passwords open to malicious apps. That could include logins for your bank website, Amazon, Netflix, Slack and many more apps. And even though this is a Mac-only bug, if you’re using the iCloud keychain, passwords synced across iPhones and Macs may also be in danger.
To make matters worse, it’s likely that no fix is in the works. Henze isn’t disclosing his findings to Apple, telling Forbes the lack of payment for such research was behind his decision to keep the hack’s details secret from the Cupertino giant.
Henze hasn’t released code (thankfully), only a video purporting to show his exploit in action. I’d be skeptical except that Patrick Wardle has tested the exploit and vouches for it, telling Sergiu Gatlan at the website Bleeping Computer:
Yes, I was able to test it on a fully patched system and it worked lovely… It’s a really nice bug inspiringly so… If I’m a hacker or piece of malware this would be the first thing I do once I gain access to the system… Dump various keychains to extract passwords private keys signing certificates and sensitive tokens. It’s unfortunate that there is yet another bug in the keychain access… One would hope something like a keychain which is supposed to be secure would, in fact, be secure but unfortunately, that’s not the case.
This looks like a really bad vulnerability — especially so since Henze isn’t sharing details with Apple.
Why in the world Apple only offers security bounties for iOS is beyond my comprehension. Of course iOS has the most users, but the potential for truly critical bugs exists on all of Apple’s platforms.
★ Thursday, 7 February 2019