February 7, 2019 // 5:36 p.m.
A security researcher has created an application which is capable of capturing supposedly-protected credentials from the keychain system in Apple's macOS Mojave - and is refusing to tell Apple the details unless it launches a bug bounty programme.
Apple was late to the bug bounty concept, where researchers are offered financial incentives for disclosing discovered security vulnerabilities privately to the company in question before making them public, having launched its first back in 2016. Its scope, however, is limited: Apple's current bug bounty programme, which is available by invitation only, only covers the company's iOS mobile operating system. The flaw in macOS Mojave discovered by 18-year-old Linus Henze, then, is excluded from being eligible for a payout - and so he's simply not disclosing it to Apple at all.
Instead of sending a disclosure privately to the Cupertino-based company, Henze published a video showcasing his creation: A tool which is capable of retrieving credentials, including passwords, from the supposedly-secure system keychain, a follow-up to a 2017 vulnerability in macOS High Sierra which has since been patched.
'I won't release this,' Henze writes in the video comments. 'The reason is simple: Apple still has no bug bounty programme (for macOS), so blame them. Under #OhBehaveHack (yes, I really like the Austin Powers movies) I will release more videos showing vulnerabilities in the future. #OhBehaveApple will be for vulnerabilities found in Apple products. Maybe this forces Apple to open a bug bounty programme at some time.'
Apple has not commented publicly on the vulnerability, but it has been independently confirmed by researcher Patrick Wardle - who discovered the earlier keychain flaw in macOS High Sierra - who described it via Twitter as 'a lovely bug & exploit [which] works on macOS 10.14.3 [and] dumps passwords, private keys, & tokens'.
Those looking to protect themselves while Apple figures out the root cause and issues a patch are advised to set a keychain-specific password - trading some convenience for security - or manually lock the keychain when it's not in use.