An analyst has revealed the presence of a zero-day flaw in macOS Mojave that can be employed by malware to rob plaintext user passwords from Keychain of the operating system. The vulnerability has not been documented to Apple, however its complete information have not been circulated publicly.
Linus Henze, a German has circulated a video screening how a harmful application was installed on a running system with the updated release of macOS Mojave operating system version (10.14.3) by Apple can bring out the passwords from the general user Keychain password management system.
Henze further mentioned that the harmful app and the key user account on which it is operational never need any admin rights for the threat to work. But, the user passwords can merely be acquired from that Keychain of the user which are likely beyond reach due to the sureness that they are usually secured and the threat merely functions against unlatched user Keychains.
The analyst states that he has not circulated his discoveries to Apple yet due to the unavailability for macOS’s bug bounty program. Apple does own a bug bounty program, along with rewards of up to 200,000 dollars, however it merely handles hardware, iOS and iCloud hacks.
Henze also mentions that Apple’s product security team has contacted him after the video went viral, however, he claims that he will further not share any information of the threat with the tech giant short of a bounty.
While the information of the flaw have not been circulated publicly to intercept maltreatment, analyst Patrick Wardle, who in 2017 revealed a related flaw in macOS High Sierra, has affirmed for Forbes that the flaw detected by Henze survives and the exploit works.