A new MacOS vulnerability bug that reveals all of user’s stored passwords to malicious apps was discovered by a German 18-year-old Linus Henze. He is not sharing the details with Apple at this time. The bug was verified and reported by Forbes; Apple is not commenting on this fact at this time
Considering an average Mac user, the potential data that could to be stolen includes financial institutions credentials, passwords for streaming sites and chat apps and many more. Although the bug is a Mac-only problem, it could leave iPhones in danger if someone is using iCloud keychain, a program that stores private keys and passwords in one place.
In his research, Linus Henze was able to creat an app that could read what was inside Apple’s keychain without any permission or need for special privileges, putting all passwords and keys stored in the keychain at risk. To take it up a notch, the malicious intrusion could potentially collect tokens for getting access to iCloud and compromise an Apple ID to get the keychain information from Apple’s own servers. “Running a simple app is all that’s required,” Henze said.
Linus Henze doesn’t want to share the details about this bug with Apple because he believes that serious work that goes into this kind should be compensated fairly. “I just think that paying researchers is the right thing to do because we’re helping Apple to make their product more secure,” Linus said.
It is safe to assume that anyone who stores passwords on their MacOS should consider their stored credentials data vulnerable. I am sure if you are reading this you can think of your stored passwords you use for banks, retailers websites, video and sound streaming sites and chatting services. As a potential fix, consider setting a master password on the keychain as soon as possible, at least until Apple releases an update and patches the issue.