In early February, an 18-year-old German security researcher named Linus Henze demonstrated a macOS attack that would allow a malicious application to grab passwords from Apple's protected keychain. "You know, the ones 'securely' stored so that no one can steal them :)" he wrote. Dubbed KeySteal, the attack called attention to the fact that the macOS keychain makes a very attractive target for hackers. Apple patched the flaw that KeySteal was exploiting at the end of March.
Initially, Henze refused to share details of his hack with Apple, telling media outlets that it was because the company does not have a bug bounty program for macOS. Now, having eventually changed his mind and revealed it to Apple, he is also showing exactly how it works at the Objective by the Sea Mac security conference in Monaco this weekend.
Apple's keychain is essentially a native macOS password manager. Even if you don't use it as your primary password organizer, there's probably still sensitive stuff in there: The keychain is so seamlessly integrated into macOS that you may have saved some login credentials there without realizing it. The service can also store digital certificates used in web encryption and be used to manage public and private keys for encryption. Basically, it's a reliably fruitful target for an attacker to hit, and other researchers have warned about keychain attacks in the past.
shenanigans behind stealthy apple keychain attack
