Another month – another privacy scandal? In light of the latest news, Apple can reconsider its motto.
With dust still not settled by FaceTime Privacy Bug, news about another macOS vulnerability is already making headlines in top-tier media. It's called macOS keychain exploit, and if you're a Mac user who hears about it for the first time, do yourself a favor and read this article carefully.
MacOS keychain utilizing: what happened?
As it turns out, the Keychain macOS app designed to store passwords and other user information is not as secure as Apple wants us to believe. A German security researcher, Linuz Henze revealed via Twitter, anyone can steal your passwords using an app called KeySteal.
To exploit this vulnerability in macOS keychain, a password hacker must first install this malicious app (KeySteal) on the victim's Mac. Of course, such a situation is not likely to happen (unless you have a few password hackers hanging out around your Mac every now and then). However, this case shows how little it takes to break into "the safest password retention" ever.
What is KeySteal?
KeySteal is a malicious app designed to extract user passwords and other credentials stored in macOS keychain without administrator privileges.
KeySteal was written by an 18-year-old security expert from Germany. It seems that his intention was to show the world how insecure their privacy is, and most importantly, to convince Apple of the necessity of offering a bugs program for MacOS.
KeySteal does its job on all versions of MacOS, including the newly updated MacOS Mojave.
How did Apple respond to macOS keychain security news?
As we know now, Apple contacted Linus Henze regarding the vulnerability he found. They asked him to give details of their exploitation, and he agreed to do so if they wanted to publish why they are not running a bugs program for macOS (as they do for iOS).
Apple did not respond.
Image source: Twitter account of Linuz Henze
Although it is a good sign Apple initially reached it looks suspicious that they refused to accommodate such a simple request, especially because the data privacy of the entire user base is at stake.
Furthermore, the Apple Web site sends mixed signals about the severity of the problem. The top ranking search result for "Apple Keychain breach" is in contrast to the following 2 results.
What should you do as a regular Mac user?
If you are worried about falling victim to this troublesome error, there are two simple steps you can take to protect your privacy.
Change your default keyword password to a unique (and strong) one
Remember that downloading apps from suspicious, unofficial sources may jeopardize your online security and privacy
KeySteal and macOS keychain exploit terminology
If there is something valuable to learn from this story, let this be it: calling something absolutely safe is not enough. This worrying error should serve as another good lesson to Apple. We wish Linuz Henze the best of luck to convince Apple to run a bug-bounty program. Obviously it won't hurt.