A German teen has found a vulnerability bug in macOS that exposes all passwords stored on the system, but he has decided not to give Apple any information about it, according to reports.
The bug, which was discovered by 18-year-old Linus Henze and was first verified and reported by Forbes, leaves passwords visible to malicious apps. The potential information available to be stolen could include bank logins, streaming site passwords from companies like Netflix and Amazon, passwords to chat apps like Slack and many more. Although the bug is a Mac-only problem, it could leave iPhones in danger if someone is using iCloud keychain, a program that stores private keys and passwords in one place.
Henze doesn’t want to tell Apple about the bug because of “lack of payment for such research.” “Finding vulnerabilities like this one takes time, and I just think that paying researchers is the right thing to do because we’re helping Apple to make their product more secure,” he said.
Henze figured out that he could create an app that could read what was inside Apple’s keychain without any permission or need for special privileges, which means that potentially any app might be able to do so, if it hides the keychain hack inside an app that seems legitimate. Another way would be to direct a user to a website that would surreptitiously launch malicious code, putting all passwords and keys stored in the keychain at risk.
“Running a simple app is all that’s required,” Henze said.
Also, the attack could potentially collect tokens for getting access to iCloud, and it could be possible to commandeer an Apple ID and get the keychain information from Apple’s own servers.
One potential fix could be to set a master password on the keychain, at least until Apple releases an update and patches the issue.