macOS Keychain Security Flaw Discovered by Researcher, but Details Not Shared With Apple Over Bug Bounty Protest

by

German security researcher Linus Henze this week discovered a new zero-day macOS vulnerability dubbed "KeySteal," which, as demoed in the video below, can be used to get to all of the sensitive data stored in the Keychain app.

Henze appears to use a malicious app to extract data from the Mac's Keychain app without the need for administrator access or an administrator password. It can get passwords and other information from Keychain, as well as passwords and details for other macOS users.


Henze has not shared the details of this exploit with Apple and says that he won't release it because Apple has no bug bounty program available for macOS. "So blame them," Henze writes in the video's description. In a statement to Forbes, Henze clarified his position, and said that discovering vulnerabilities takes time.

"Finding vulnerabilities like this one takes time, and I just think that paying researchers is the right thing to do because we're helping Apple to make their product more secure."

Apple has a reward program for iOS that provides money to those who discover bugs, but there is no similar payment system for macOS bugs.

According to German site Heise Online, which spoke to Henze, the exploit allows access to Mac Keychain items but not information stored in iCloud. Keychain is also required to be unlocked, something that happens by default when a user logs in to their account on a Mac.

applekeychain
Keychain can be locked by opening up the Keychain app, but an admin password then needs to be entered whenever an application needs to access Keychain, which can be inconvenient.

Apple's security team has reached out to Henze, according to ZDNet, but he has continued to refuse to provide additional detail unless they provide a bug bounty program for macOS. "Even if it looks like I'm doing this just for money, this is not my motivation at all in this case," said Henze. "My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers."

This isn't the first Keychain-related vulnerability discovered in macOS. Security researcher Patrick Wardle demoed a similar vulnerability in 2017, which has been patched.

Popular Stories

iPhone 17 Slim Feature

'iPhone 17 Air' With 'Major' Design Changes and 19-Inch MacBook Detailed in New Report

Sunday December 15, 2024 9:47 am PST by
Apple is planning a series of "major design" and "format changes" for iPhones over the next few years, according to The Wall Street Journal's Aaron Tilley and Yang Jie. The paywalled report published today corroborated the widely-rumored "iPhone 17 Air" with an "ultrathin" design that is thinner than current iPhone models. The report did not mention a specific measurement, but previous...
Read Full Article133 comments
iphone 17 pro concept render cameras

Major iPhone 17 Pro Redesign Backed by Supply Chain Info, Claims Leaker

Thursday December 12, 2024 4:36 am PST by
Next year's iPhone 17 Pro models will reportedly feature a major redesign, specifically centering around changes to the rear camera module, and now new supply chain information appears to confirm the striking change, according to a Chinese leaker. iPhone 17 Pro concept render Late last month, The Information's Wayne Ma claimed that the rear of the ‌iPhone 17‌ Pro and ‌iPhone 17‌ Pro...
Read Full Article176 comments
Generic iOS 18

Apple Releases First Betas of iOS 18.3 and iPadOS 18.3

Monday December 16, 2024 10:06 am PST by
Apple today seeded the first betas of upcoming iOS 18.3 and iPadOS 18.3 updates to developers for testing purposes, with the software coming a week after Apple released iOS 18.2 and iPadOS 18.2. iOS 18.3 and iPadOS 18.3 can be downloaded from the Settings app on a compatible device by going to General > Software update. There's no word yet on what's included in iOS 18.3 and iPadOS 18.3, ...
Read Full Article50 comments
Magic Mouse Next to Keyboard

Apple 'Working' on Redesigned Magic Mouse With a Long-Awaited 'Fix'

Sunday December 15, 2024 8:43 am PST by
Apple is working on a redesigned Magic Mouse that will address some "longstanding complaints," according to Bloomberg's Mark Gurman. In his Power On newsletter today, Gurman said Apple in recent months has been working on a "full overhaul" of the Magic Mouse with a design that "better fits the modern era." However, he does not expect the new Magic Mouse to be released in the "next 12 to 18...
Read Full Article208 comments
AirTag 2 Mock Feature

AirTag 2 Expected to Launch Next Year With 'Considerable' Upgrade to Item Tracking

Sunday December 15, 2024 2:57 pm PST by
Apple plans to release a second-generation AirTag next year with "considerably" longer range for item tracking, according to Bloomberg's Mark Gurman. In his Power On newsletter today, Gurman said the new AirTag will use Apple's second-generation Ultra Wideband chip, or equivalent technology. The chip debuted last year in the iPhone 15 and the Apple Watch Ultra 2, and Apple said it offers up...
Read Full Article71 comments

Top Rated Comments

Scottsoapbox Avatar
Scottsoapbox
77 months ago
How does Apple not have a bug bounty program? Did they start believing their own marketing on Mac OS?
Score: 66 Votes (Like | Disagree)
Goompa Avatar
Goompa
77 months ago
It doesn’t surprise me. It’s been long time since Apple seemed to care about macOS.

I’m happy for the researcher. Let’s put some pressure on the giant.
Score: 45 Votes (Like | Disagree)
AngerDanger Avatar
AngerDanger
77 months ago
Thank god! It was so time-consuming having to double FaceTime call people and wait for them to casually list their passwords as part of natural conversation.
Score: 34 Votes (Like | Disagree)
CE3 Avatar
CE3
77 months ago
I understand that finding flaws isn't always an easy thing and can take highly educated/skilled people lots of time to find things like this however no one is forcing this guy to do it.

This sounds a bit like extortion to me.
Extortion implies that not informing developers of bugs is illegal, which it isn’t of course. Apple has likely “reached out” to offer a reward, but he says his motivation is to use this as an opportunity to get a reward program in place for everyone. Good for him. it will probably happen now.

Yes, no one forced him to find this vulnerability, but if you’re a macOS user you should be thankful that he did.
Score: 29 Votes (Like | Disagree)
displaced Avatar
displaced
77 months ago
Hmm.

Are Bug Bounty rewards a good idea which provide incentive and reward to bug researchers? Yes. Should Apple have one for macOS? Most likely.

Should a researcher withhold details on a discovered bug as a protest about the lack of a bounty? I don't think so. It seems both unprofessional and dangerous.
Score: 28 Votes (Like | Disagree)
lostngone Avatar
lostngone
77 months ago
I understand that finding flaws isn't always an easy thing and can take highly educated/skilled people lots of time to find things like this however no one is forcing this guy to do it.

This sounds a bit like extortion to me.
Score: 25 Votes (Like | Disagree)
Read All Comments