The researcher has, however, decided not to share the details of the exploit with Apple out of frustration that the company’s bug bounty program only applies to iOS and not macOS. In the past, Henze has publicly shared legitimate iOS vulnerabilities so he has a track record of credibility.
Remember KeychainStealer by @patrickwardle which can steal all your keychain passwords?
While his vulnerability is patched now, I’ve found a new one, affecting macOS Mojave and lower.
More information can be found in my video:https://t.co/wBQL2s6v7z#OhBehaveHack #OhBehaveApple
— Linus Henze (@LinusHenze)
Looking at the video, it appears the ‘KeySteal’ app does not even require administrator privileges to execute the attack. The exploit is also claimed to work on macOS machines with System Integrity Protection enabled.
So far, it is not known if Apple is aware of the problem or not. Check out the following video and share your thoughts with us in the comments section.