A German Teen Builds an App That Can Steal Passwords from Mac Computers
Between July and September, Apple sold just under 47 million iPhones and about 10 million iPads. By contrast, Apple sold around 5.3 million Mac computers in the same time frame. Clearly, the world's favorite fruit-themed electronics company is making quite a bit more money from iOS devices than it is from computers and laptops. Does this mean that macOS users are left by the wayside when it comes to security? A German teenager by the name of Linus Henze seems to think that this is exactly what's happening. But why should we listen to him?
Because he has found a severe vulnerability affecting all modern versions of Apple's desktop operating system. He calls it KeySteal, and through it, he can scrape all the sensitive data from Keychain – the built-in system that many people use for storing their usernames and passwords.
A malicious app can steal all your passwords
On Sunday, the self-professed macOS and iOS fan published a video which illustrates the problem. The attack does rely on the user running some malicious code on an Apple machine, but Henze reckons that at least two infection vectors can make the stealing of passwords possible.
One of them involves the so-called supply chain attack where hackers compromise the infrastructure of a legitimate software vendor and embed malware into a new build or an update of a benign application. The second possibility is to trick the users into visiting a web page that can execute the malicious code on the victim's machine.
Henze's video shows that KeySteal doesn't need any additional privileges to work. The malware doesn't trigger any password prompts, and it works regardless of whether or not you have opted to sync your data across all your iDevices.
There's no patch on the way
This is a severe vulnerability found by a white hat hacker. Normally, in such cases, the hacker would contact the vendor, privately disclose all the details, and the vendor would issue a patch to plug the hole before anyone can exploit it. Only then would the general public learn about the whole thing. This time, things don't work like this.
Although the video shows the exploit in action, the proof-of-concept code isn't public. One of the few people that have seen it is Patrick Wardle, an ex-NSA analyst and current security professional who has a history of poking holes through Keychain's security. He confirmed that the vulnerability is real and quite serious.
Apple's security team asked Linus Henze for the exploit, but he declined to share the details with them. The reason for this, he says, is the lack of a bug bounty program for macOS.
The age-old bug bounty problem
Some might jump on the offense and blame Henze for putting users at risk by preventing Apple from finding out more about the issue and fixing it. Some might even blame him for being greedy and only doing it for the fame and, potentially, the money.
The fact of the matter is, however, that people like Linus Henze do highly-skilled and very important work that affects everyone – from the CEOs of the Silicon Valley giants to the end users who effectively pay their salaries. Letting that work go unrewarded or asking researchers to exchange it for a branded baseball cap and a t-shirt is completely illogical.
Speaking of logic, we have yet to hear a reasonable explanation as to why iOS is covered by a bug bounty program (that doesn't always work as well as it should), and macOS isn't. We'll leave it up to you to speculate on whether or not this has something to do with the figures we quoted in the first paragraph.
You must also bear one other thing in mind. The patch isn't expected for now meaning that other people might start looking for the vulnerability. And those who find it might have intentions that are much more nefarious than Linus Henze's.
What can you do to protect yourself?
The exploit is dependent on the macOS Keychain being unlocked. In most cases, this happens automatically when you log in, but you can set it up so that your account and Keychain passwords are different. This means that every time you need to use data from Keychain, you'll need to unlock it manually. It could also mean, however, that you'll need to enter your Keychain password quite often.
Your other option is to deal away with Keychain altogether and use a dedicated password management application like Cyclonis Password Manager. It also stores your passwords in an encrypted format, and it lets you sync them across multiple devices. To learn more about how Cyclonis Password Manager works, click here.