Keychain is a built-in password manager for macOS. It houses passwords, encryption keys, and certificates from a wide range of sources including websites, apps, and attached hardware. Using a software tool he created called “KeySteal,” Henze can access all the passwords on a Mac’s keychain with one click.
He says that the exploit is similar to Patrick Wardle’s 2017 “KeychainStealer,” but whereas Apple has patched that vulnerability, this one is still wide open. He says that the program works without administrative privileges or root passwords. It also works with macOS login and system keychains.
He tested it on a 2014 MacBook Pro, and it worked flawlessly. However, it's unclear if the exploit can get past the security chips in newer MacBooks.
Typically, researchers do not reveal security flaws until the company has been notified and has had time to patch it. However, Henze said he is posting the vulnerability publicly because Apple has no bug bounty program for macOS. The company does have one for iOS, but it is so limited in scope, and difficult to get rewarded from it is almost useless. Just ask Grant Thompson, the boy who discovered the FaceTime bug.
Despite not disclosing the details to Apple, Henze says he will not reveal how the exploit is performed to anyone else either. He is not looking to harm Apple or its users, just to inform them of the problem. It is up to Apple to figure out what is wrong — at least until it starts a proper bug bounty program.
In the meantime, Henze will be posting other Apple product exploits that he discovers under the hashtag #OhBehaveApple.
“The reason is simple: Apple still has no bug bounty program (for macOS),” he explains. “Maybe this forces Apple to open [one] at some time.”