Computer security researcher Linus Henze discovered a KeySteal exploit in macOS Mojave that enables anyone to steal passwords from the operating system’s Keychain Access without requiring administrator privileges. Fortunately, it doesn’t affect items stored in iCloud’s keychain, or as far as we know. This may take a while to get patched, since Henze is protesting Apple’s bug bounty program, which only pays out to researchers for disclosing bugs on iOS and not macOS. Read more for a video of the exploit in-action.
“This is the second time in a couple of weeks that a teenager has unearthed an Apple security problem (Henze is 18). A 14-year-old tried to alert Apple about the Group FaceTime bug that allowed you to listen in to others before they answer the call. Apple said it will issue a fix for that this week, though it’s unclear when it will repair the password exploit,” reports Engadget.