An 18-year-old German researcher has discovered and published a proof of concept he’s calling KeySteal: what he claims is a zero-day bug that could be exploited by attackers using a malicious app to drain passwords out of Apple’s Keychain password manager.
No fix is expected anytime soon. The researcher, Linus Henze, says he’s not sharing details with Apple – and yes, the company asked – in protest of the company’s invite-only/iOS-only bounties.
I won’t release this. The reason is simple: Apple still has no bug bounty program (for macOS), so blame them.
The bug affects even the most recent MacOS, Mojave.
On Sunday, Henze posted this proof of concept video to YouTube:
It demonstrates extraction of all local Keychain passwords on macOS Mojave, and Henze says it works on earlier versions of the OS. It works without root or administrator privileges and without password prompts, he says.
A bit about Keychain
Apple’s Keychain is a password manager that’s built in to MacOS and turned on by default, hopefully making it hassle-free for users to make the switch to using a manager to store the gazillion passwords people tend to have nowadays.
As Naked Security’s Maria Varmazis has explained, Keychain captures passwords that you enter on one device or website, stores them in an encrypted form in the cloud, and then automatically fills in your credentials the next time you need them. That way, you don’t have to remember your passwords or glue them to your monitor on a sticky note.
This isn’t the first time
Of course, having all your credentials in one, convenient place makes it crucial that the one place is as secure as possible. But, unfortunately, this isn’t the first time we’ve seen a password stealer prey on Keychain. In 2016, password-stealing malware was uploaded to the popular BitTorrent client Transmission not once, but twice.
And in 2017, security researcher Patrick Wardle demonstrated keychainStealer. That one got into Keychain passwords via an unsigned Mac app, then dumped the credentials into a plain text file.
It sounds like KeyStealer is similar to keychainStealer in that it too could be exploited via malicious apps. In his video, Henze opens Keychain Access, where he’s stored fake version of his passwords, such as to his Facebook and Twitter accounts. Whatever app he created – again, he’s not sharing details – was able to read the content of the keychain without the need for a victim’s explicit permission, nor with any admin level permissions. Henze:
Running a simple app is all that’s required.
How would the bad app get onto a Mac in the first place? Henze suggested that an attacker could tuck it into a legitimate app, or that it could be downloaded from a boobytrapped website.
Henze told Forbes that the attack can also grab tokens for accessing iCloud. Thus, an attacker could potentially also take over an Apple ID and download the keychain from the company’s servers.
Yet another bug-collecting kid
This is the second time in two weeks that a teenager has discovered a bug in Apple’s products. Just last week, we found out about a FaceTime eavesdropping bug that was reported discovered by a 14-year-old (and his mom).
Apple is working on a fix for the FaceTime bug and will reportedly give the 14-year-old, Grant Thompson, an as-yet-undetermined bounty via its iOS bug bounty program.
That program, which Apple set up in 2016, offers rewards up to $200,000 for vulnerabilities found in its software.