Yet another teenager has uncovered a serious weakness in Apple technology.
Just last week it emerged that a 14-year-old uncovered a bug that allowed snooping on iPhone and Mac users thanks to a problem in FaceTime. Now German 18-year-old Linus Henze has uncovered a vulnerability affecting the latest Apple macOS that leaves stored passwords open to malicious apps. That could include logins for your bank website, Amazon, Netflix, Slack and many more apps. And even though this is a Mac-only bug, if you’re using the iCloud keychain, passwords synced across iPhones and Macs may also be in danger. To make matters worse, it’s likely that no fix is in the works. Henze isn’t disclosing his findings to Apple, telling Forbes the lack of payment for such research was behind his decision to keep the hack’s details secret from the Cupertino giant.
The researcher, who has uncovered other iOS and macOS bugs in the recent past, discovered a way into the Apple “keychain.” That’s the area of the macOS that stores private keys and passwords, making it a goldmine for hackers. Henze found he could create an app that was able to read what was in the keychain without requiring explicit permission from the victim. His mock malware didn’t require special privileges, like administrator-level permissions. “Running a simple app is all that’s required,” Henze said. As for how the malware could get onto the Mac in the first place, a malicious hacker could hide the keychain exploit in a legitimate app, Henze hypothesized. Or a user could be directed to a webpage that would launch rogue code. And because the attack could grab tokens for accessing the iCloud, it would be possible to take over an Apple ID and download they keychain from the company’s servers, said Henze.