A new zero-day vulnerability involving MacOS could lead to a malicious application gaining access to passwords stored within Keychain. The vulnerability is found in the access control of Keychain and could allow the retrieval of password data without any of the necessary privileges or master passwords. The absence of a bug bounty program is why the vulnerability is exploitable and it’s found to be affecting all MacOS versions, even the new 10.14.3 Mojave. The researcher who discovered the bug is refusing to disclose the details of it to Apple until they implement a bug bounty program for MacOS.
Analyst Notes
Users should remove data from Keychain and find another means of storing their passwords until the issue is resolved.
