TEENAGE YEARS can be trying for the youth of today, with some turning to computers to ignore the raging hormones, spots, mood swings and unwanted erections; that may have been the case with an 18-year-old who’s discovered a fresh macOS flaw.
Linus Henze, a German teenager and hobby hacker by the looks of it, found a vulnerability in Apple’s latest version of macOS Mojave that leaves stored passwords open to pilfering by malicious apps; this comes just weeks after a 14-year-old uncovered the devastating FaceTime ‘eavesdropping’ bug.
Henze discovered he could create an app that could read the data in macOS’ keychain, which stores private password and keys, without the need for explicit privileges or admin access.
He created a proof-of-concept malware which could dig into the keychain data, noting that such malware could be hidden in a macOS app or behind a webpage as executable code, reported Forbes.
Henze even reckons the exploit could download keychains from Apple servers as the vulnerability could be exploited to pilfer tokens for iCloud access and lead to a hacker taking over an Apple ID.
It’s a pretty serious flaw, but at the time of writing, no fix looks to be in the works. That’s because Henze hasn’t informed Apple, as he explained to Forbes that there’s no payment for disclosing his security discovery, so he won’t flag it to Cupertino’s engineers.
The problem seems to stem from Apple’s bug bounty being invite-only, meaning non-pro white hats like Henze get left out in the cold.
“It’s like they don’t really care about macOS,” Henze told Forbes. “Finding vulnerabilities like this one takes time and I just think that paying researchers is the right thing to do because we’re helping Apple to make their product more secure.”
Apple has yet to put out a statement about the vulnerability, presumably because it’s scrambling to fix the flaw with scant technical detail.
It looks like Apple’s famed secrecy and walled garden approach to everything it does may be coming round to bite it. And where once Apple stuff “just works”, it’s now looking a tad more ropey than it used to; just look back at the macOS High Sierra password security borkage if you want a clear example. µ
Source : Inquirer