Security researcher Linuse Henze shared a video demonstrating macOS Mojave exploit for accessing passwords stored in a keychain.
The KeySteal application, which is shown in the video, does not require administrator privileges to launch an attack. Access control list settings also do not matter.
The exploit works on computers with system integrity protection enabled. He can access all the items in the login and system fields of the keychain. At the same time iCloud keys are not subject to hacking, as they store data in another way.
Users can protect themselves by locking the keyring for logging on to the system with an additional password, but this option is disabled by default. In addition, it is inconvenient to use because of the infinitely pop-up windows with the suggestion of authentication when using macOS.
It is not known if Apple is aware of this macOS security issue.
In the past, Henze repeatedly talked about vulnerabilities in iOS. He did not inform Apple, but simply published a video with an impromptu demonstration in protest. The developer encourages other hackers and researchers to publicly report Mac security issues. Thus, he wants to put pressure on Apple to expand the reward program for bugs found in macOS.
MDlavka – our store for your favorite readers. New Apple technology at the most pleasant prices are waiting for you every day from 10:00 to 21:00. Readers Macdigger.ru – discount.