MacOS Zero-Day Exposes Apple Keychain Passwords

[silversurfer]

A researcher claims to have found a new Apple zero-day impacting macOS that could allow an attacker to extract passwords from a targeted Mac’s keychain password management system.
However, the researcher refuses to disclose the alleged vulnerability citing Apple’s lack of macOS bug bounty program.

Keychain Access is the password management system app in macOS, which holds various encrypted passwords for services such as Facebook and Twitter.

The researcher behind the attack, Linus Henze, said that the vulnerability exists in the application’s access control and enables him to extract local keychain passwords without root or administrator privileges, and without password prompts.

Henze, however said that he would not release more information about the proof-of-concept attack, which he dubbed “KeySteal,” because Apple’s bug bounty program is for iOS and does not reward vulnerability findings for macOS.

SOURCE: https://threatpost.com/macos-zero-day-ex...ds/141584/

[Deep900]

Thanks for posting this silver!