An 18-year-old German security researcher has published details of a serious vulnerability in macOS but refused to share the details with Apple as a protest against the company’s not having a bug bounty program.

The researcher, Linus Henze, demonstrated the “KeySteal” vulnerability on video, claiming that it was a macOS Mojave exploit that allowed access to passwords stored in the Keychain. Keychain is the password management system app in macOS that holds encrypted passwords for services both from Apple and third parties such as social networking sites and apps.

The demo shows that access can be obtained to encrypted passwords without root or administrator privileges and, more remarkably, without password prompts at all.

The exploit does require the given Mac to be infected by malware, raising the challenge level slightly, but Henze argues that doing so is not difficult. Pathways for infection could include adding code to a legitimate app or via an infected webpage designed to insert the code.

MacOS vulnerabilities are not new, but refusing to work with Apple is. In an interview over the weekend with German tech site Heise, Henze said he didn’t report the vulnerability to Apple because the company does not operate a bug bounty program for macOS. With a bug bounty program, a company pays money for bugs, or security vulnerabilities reported to them. Apple has a bug bounty program for iOS but not macOS.

Talking to ZDNet Wednesday, Henze said Apple’s security team had reached out after his research had started getting media attention, but he declined to assist unless they started a bug bounty program for macOS.

“Even if it looks like I’m doing this just for money, this is not my motivation at all in this case,” Henze said. “My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers.”

He added that he loves Apple products and wants to make them more secure. “And the best way to make them more secure would be, in my opinion, if Apple creates a bug bounty program,” he said.

The bad news, at least at the time of writing, is that there is no fix for the vulnerability detailed by Henze. Until Apple eventually issues a patch, there’s a possibility that those with nefarious intent may start to exploit it.

Photo: Pixabay