Apple vulnerabilities and exploits have been found by teenagers the past weeks. Just a week ago, a 14-year old found a bug that allowed you to snoop on iPhone and Mac users via a Facetime problem.
And now, an 18 year old German named Linus Henze has found a major vulnerability affecting the latest Apple MacOS iCloud Keychain that leaves stored passwords open to malicious apps.
Yes you have read it correctly, this one involves your iCloud Keychain. This would include all your stored passwords that are synced on your iPhone and Macs.
As of the moment, there will be no fix yet since Linus Henze has not released his findings to Apple. According to him, lack of payment for such research was his driving force to keep the hack’s methodology and details away from Apple.
Henze made an app that was able to read what was in the iCloud Keychain without requiring explicit permission from. It does not require special privileges either. It just needs to run the app.
If someone gets a hold of this, hackers could hide the keychain exploit in a legit app and wreck havoc from there. Another way is by directing a user to a website that can run the code. The hack could grab tokens for the iCloud Keychain, and it could possibly take over an Apple ID and download the keychain from Apple’s server said Henze.
The other teenager mentioned earlier, Grant Thompson uncovered the Facetime Bug. Apple has promised a fix and will reportedly give the 14-year-old payment via its iOS bug bounty program. It offers up to $200,000 in return for information on security weaknesses in its mobile operating system.
Apple’s bug bounty is by invite only and only for iOS. Henze criticized Apple that finding vulnerabilities like this takes time. Compensating researchers would be the right thing to do since they help make the product more secure.
It feels like a let down since Apple still has flaws in securing the keychain. Keychain is supposed to to be a secure spot to store your sensitive information. However, this is not true anymore and might be under attack soon.
Apple has no technical information from Henze. Having this fixed soon is still unclear. Maybe Apple should reconsider how much they pay people who finds bugs and vulnerabilities for them.
Apple Mac security specialist Patrick Wardle discovered a similar bug last 2017. users could take steps to prevent any apps stealing their passwords. Perhaps the best current defense is to manually set a password for the keychain. But that will mean every time a legitimate application wants to use a password from the keychain, the user will have to enter the login.
Having an extra layer of password would help but, it would slow you down a bit in terms of usability.