A security researcher has gone public on YouTube with a new flaw which he found in macOS. The flaw lies within keychain, the macOS password manager that keeps the passwords for applications, servers, websites and sensitive information related to banking. The information that is kept in keychain is encrypted by default, which would not allow third party apps to have access to what it keeps, but the new flaw as shown by the researcher shows how he can access the information by using a malicious application. The flaw is present in keychain’s access control and could allow an attacker to view the passwords it keeps from a local account without having administrator privileges or the master password for keychain. The flaw only works if keychain is unlocked, which it usually is as long as the user is logged in–except for the System keychain which holds wi-fi passwords, etc. The researcher stated that this flaw affects all version of macOS up to the latest one. According to the researcher, he went public with this flaw instead of turning it in to Apple because he thinks that there is a lack of bug bounty programs for macOS, and that apple needs to open up more. He stated that they have programs for other devices and software, just not macOS. Apple reached out to the researcher to try to get more details, but the researcher refused–stating that until there is a Bug Bounty program in place, he will not release any more information regarding this zero-day.
Analyst Notes
Currently, there is no fix for this issue by Apple, but users should be on the lookout for a system update which fixes this flaw. In the meantime, users should ensure that whenever they are logged into their computer, that they make sure their keychain is locked, and only unlocked when they need something from it.
