What Is KeySteal? macOS Keychain Exploit Explained
With the dust still not settled after the FaceTime privacy bug, news about another macOS vulnerability is already making headlines in top-tier media. It's called macOS keychain exploit, and if you're a Mac user hearing about it for the first time, do yourself a favor and read this article attentively.
MacOS keychain exploit: what happened?
As it turns out, Keychain—macOS app designed to securely store passwords and other user credentials—is not as secure as Apple wants us to believe. A German security researcher, Linuz Henze, revealed via Twitter, anyone can steal your passwords using an app called KeySteal.
To take advantage of this macOS keychain vulnerability, a password hacker would first need to install this malicious app (KeySteal) on the victim's Mac. Of course, such a situation isn't likely to happen (unless you have a few password hackers hanging out around your Mac every now and then). However, this case demonstrates how little it takes to break into "the most secure password storage" ever.
What is KeySteal?
KeySteal is a malicious app designed to extract user passwords and other credentials stored in macOS Keychain without administrator privileges.
KeySteal was written by an 18-year-old security expert from Germany. It looks like his intention was to show the world how insecure their privacy really is and, most importantly, to convince Apple of the necessity of offering a bug bounty program for macOS.
KeySteal effectively does its job on all versions of macOS, including the recently updated macOS Mojave.
How did Apple respond to the macOS keychain vulnerability news?
As we know now, Apple did contact Linus Henze regarding the vulnerability he found. They asked him to provide details about his exploit and he agreed to do so if they will publicly explain why they do not run a bug bounty program for macOS (like they do for iOS).
Apple did not respond. At least at time of writing this article.
While it's a good sign Apple reached out in the first place, it looks suspicious that they refused to meet such a simple request—especially, given that the data privacy of their entire user base is at stake.
Furthermore, the Apple website is sending mixed signals about the severity of the issue. The top ranking search result for “Apple Keychain breach” outright contradicts the the following 2 results.
What should you do as a regular Mac user?
If you're worried about falling a victim to this troublesome bug, there are 2 simple steps you can take to protect your privacy.
Change your default Keychain password to a unique (and strong) one
Remember that downloading apps from suspicious, unofficial sources can put your online security and privacy at risk
The closing word on KeySteal and macOS keychain exploit
If there is something valuable to learn from this story, let this be it: calling something completely secure is not enough. This worrisome bug should serve as another good lesson to Apple. We wish Linuz Henze best of luck convincing Apple to run a bug bounty program. Obviously, it wouldn’t hurt.