MacOS Mojave flaw gives access to passwords stored in Key Access

Linuz Henze, a security researcher who already has a history of discovering flaws in Apple's operating systems, has now shared a video demonstration of what he believes to be a macOS Mojave flaw capable of giving access to user passwords stored in Access Keys (Keychain Access) as reported by the heise online (Google translator).

As we can see on the video, Henze is running the latest available public version of macOS Mojave (10.14.3).

When opening the Keychain Access and exploiting such a vulnerability, he was able to access all stored passwords without any effort or administrator privileges using an app called KeySteal. Still according to the researcher, it doesn't matter if the ACLs are configured or if the System Integrity Protection is activated.

Fortunately, the data stored in iCloud Keys (those passwords you use in Safari, to log into services) are not affected by the vulnerability, as everything is stored differently.

Apparently, the only way to protect yourself while the problem is not solved by Apple by protecting Access to Keys with an additional password is the problem that this is not at all convenient, since it will cause you to authenticate basically a lot of things when using normally macOS.

Incidentally, it is not known if Apple has already had access to the vulnerability. Henze did not share his findings as he is very frustrated with Ma and with a certain reason, since the rewards program only covers iOS flaws, leaving any important discovery like this on macOS outside.

We'll see if the company fixes this in the next beta versions of macOS Mojave 10.14.4.

via 9to5Mac