Mac passwords are at risk, but teen researcher won’t tell Apple how

A teenager has uncovered a vulnerability within Apple’s macOS operating system that enables an attacker to steal account login details.

18-year-old German researcher Linus Henze has demonstrated how it’s possible for malicious apps to steal passwords from they system keychain, in an exploit called KeySteal.

In the video below (via Forbes), you can see the researcher extracting passwords from macOS while bypassing the need for the administrator password. The result is exposed login details for a number of accounts, displayed in plain text.

The exploit is even actionable on macOS Mojave, the newest version of the Apple’s desktop operating system.

However, the hacker isn’t sharing how the exploit works with Apple, or any one else for that matter. The youngster has taken the opportunity to take a stand against Apple’s bug bounty program, which only rewards those who find security flaws within iOS, and not macOS.

Related: Worst passwords of 2018 revealed

He told Forbes: “It’s like they don’t really care about macOS. Finding vulnerabilities like this one takes time, and I just think that paying researchers is the right thing to do because we’re helping Apple to make their product more secure.”

The discovery comes soon after a 14-year-old reportedly discovered the FaceTime eavesdropping bug and reported it to Apple, days before the company publicly acknowledged it.

The Group FaceTime bug made it possible for users to listen to or even see another person on the call before they had answered it. Apple is yet to release the fix for the bug, but has disabled the Group FaceTime feature in the meantime. The company says the new version of iOS, which squishes the bug, will be here this week.

Should Apple fork over the cash to researchers who identify macOS flaws too? Or is the researcher putting innocent Mac users at risk by not revealing his methods? Let us know @TrustedReviews on Twitter.