macOS Keychain flaw could expose user passwords

The researcher disclosed the flaw to Apple despite the lack of a bug bounty program

macOS Mojave

A German teenager has released details regarding a Keychain security flaw in macOS to Apple after discovering it in February.

The eighteen-year-old Linus Henze, who dubbed the flaw ‘KeySteal,’ initially refused to share details with Apple because the company didn’t have a bug bounty program for macOS.

Bug bounty programs are common in tech as a way to reward researchers for discovering bugs in software. Apple runs a program like that for iOS but has no similar program for macOS.

Henze argued that his refusal wasn’t about the money, but about the creation of a bug bounty program for macOS. Ultimately, he chose to share the details with Apple because “the security of macOS users is important” to him.

Additionally, Henze included a patch in his submission to Apple, and he did so for free.

The zero-day macOS vulnerability could allow an attacker to obtain sensitive data stored in the Keychain app, such as passwords and other login information.

Henze hopes Apple will change its stance and offer a bug bounty program for macOS.

Source: Twitter Via: MacRumors