author photo
By Bruce Sussman
Wed | Feb 6, 2019 | 1:41 PM PST

A security researcher in Europe posted a video over the weekend showing a 2019 Zero-Day exploit against macOS Mojave and earlier, which allows him to steal Keychain Access passwords.

Here is security researcher Linus Henze's description of the exploit in his own words, along with his 90-second video of the exploit in action:

"In this video, I'll show you a 0day exploit that allows me to extract all your (local) keychain passwords on macOS Mojave (and lower versions). Without root or administrator privileges and without password prompts of course."

Why security researcher publicly shared vulnerability

Why are you reading an article and watching a video of this macOS exploit instead of having Apple secretly work on a patch?

Henze explains his logic.

"The reason is simple: Apple still has no bug bounty program (for macOS), so blame them. Maybe this forces Apple to open a bug bounty program at some time."

And if this doesn't do it, perhaps it will happen in conjunction with embarrassment over Apple's recent Group FaceTime calling security vulnerability

Details of the vulnerability were only released publicly after an attorney tried multiple times to notify Apple of the problem without a response from Apple.

Stay tuned.

[RESOURCE: SecureWorld web conference: The Future of Securing Data Storage, live or on-demand.

Comments