MacAlert!

Up to the minute Apple and Mac news alerts

Purported Exploit Exposes Keychain Passwords on MacOS

[2019-02-07 17:26:37]

Thomas Brewster, Forbes: Just last week it emerged that a 14-year-old uncovered a bug that allowed snooping on iPhone and Mac users thanks to a problem in FaceTime. Now German 18-year-old Linus Henze has uncovered a vulnerability affecting the latest Apple macOS that leaves stored passwords open to malicious apps. That could include logins for your bank website, Amazon, Netflix, Slack and many more apps. And even though this is a Mac-only bug, if you’re using the iCloud keychain, passwords synced across iPhones and Macs may also be in danger. To make matters worse, it’s likely that no fix is in the works. Henze isn’t disclosing his findings to Apple, telling Forbes the lack of payment for such research was behind his decision to keep the hack’s details secret from the Cupertino giant. Henze hasn’t released code (thankfully), only a video purporting to show his exploit in action. I’d be skeptical except that Patrick Wardle has tested the exploit and vouches for it, telling Sergiu Gatlan at the website Bleeping Computer: Yes, I was able to test it on a fully patched system and it worked lovely… It’s a really nice bug inspiringly so… If I’m a hacker or piece of malware this would be the first thing I do once I gain access to the system… Dump various keychains to extract passwords private keys signing certificates and sensitive tokens. It’s unfortunate that there is yet another bug in the keychain access… One would hope something like a keychain which is supposed to be secure would, in fact, be secure but unfortunately, that’s not the case. This looks like a really bad vulnerability — especially so since Henze isn’t sharing details with Apple. Why in the world Apple only offers security bounties for iOS is beyond my comprehension. Of course iOS has the most users, but the potential for truly critical bugs exists on all of Apple’s platforms.  ★ 

Read more....



RELATED!

Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer Location Data for Years

Reuters: ‘Apple Puts Modem Engineering Unit Into Chip Design Group’

OnePlus Photo Contest Winner Stole His Photo From Instagram User — Who Used a Canon DLSR to Shoot It

More From Angela Ahrendts on Whether She Misses Fashion (and London)

Inside Wisconsin’s Disastrous $4.5 Billion Deal With Foxconn

‘It’s Here. It’s Now.’

Vogue Business Ran an Angela Ahrendts Profile Just Last Week

Angela Ahrendts to Leave Apple in April; Deirdre O’Brien Named Senior Vice President of Retail and People

[Sponsor] Skillshare -- The Best Way to Learn Online

‘Can’t Unsee’

Abu Zafar: ‘Why iMessage Is Better Than the Best Messaging Apps on Android’

The Design of Loopback 2

The Talk Show: ‘The Butts Incident’

You Really Couldn’t Make This Shit Up

Walt Mossberg on Apple’s Control of iOS