large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Mac passwords are at risk, but teen researcher won’t tell Apple how

A teenager has uncovered a vulnerability within Apple’s macOS operating system that enables an attacker to steal account login details.

18-year-old German researcher Linus Henze has demonstrated how it’s possible for malicious apps to steal passwords from they system keychain, in an exploit called KeySteal.

In the video below (via Forbes), you can see the researcher extracting passwords from macOS while bypassing the need for the administrator password. The result is exposed login details for a number of accounts, displayed in plain text.

The exploit is even actionable on macOS Mojave, the newest version of the Apple’s desktop operating system.

However, the hacker isn’t sharing how the exploit works with Apple, or any one else for that matter. The youngster has taken the opportunity to take a stand against Apple’s bug bounty program, which only rewards those who find security flaws within iOS, and not macOS.

Related: Worst passwords of 2018 revealed

He told Forbes: “It’s like they don’t really care about macOS. Finding vulnerabilities like this one takes time, and I just think that paying researchers is the right thing to do because we’re helping Apple to make their product more secure.”

The discovery comes soon after a 14-year-old reportedly discovered the FaceTime eavesdropping bug and reported it to Apple, days before the company publicly acknowledged it.

The Group FaceTime bug made it possible for users to listen to or even see another person on the call before they had answered it. Apple is yet to release the fix for the bug, but has disabled the Group FaceTime feature in the meantime. The company says the new version of iOS, which squishes the bug, will be here this week.

Should Apple fork over the cash to researchers who identify macOS flaws too? Or is the researcher putting innocent Mac users at risk by not revealing his methods? Let us know @TrustedReviews on Twitter.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.