New Mac Hack Can Steal Your Passwords: What to Do Now

MacOS has a new serious vulnerability that essentially leaves your computer’s passwords wide open to be stolen by hackers. Its name: KeySteal.

Credit: Laptop Mag

(Image credit: Laptop Mag)

Here you can see it in action:

First reported by technology publication Heise Online, the vulnerability opens a door to steal all passwords in your Mac’s “login” and “System” keychain, which leaves you wide open to attack even if you have security measures like Access Control Lists and System Integrity Protection using Apple’s latest T2 security chip.

The KeySteal exploit was discovered and announced by security researcher Linus Henze, a self-declared macOS and iOS fan who has a record of discovering other vulnerabilities in the past. He is also a member of Sauercloud, a German computer security team that participates in hacking Capture The Flag competitions. In other words: his exploit is most probably not made up, but very real.

The only way to protect your computer’s keychain is to lock the login keychain with an extra password, which will result in macOS asking you for that password each time you try to do almost anything with your computer.

Fortunately, the iCloud keychain is not affected. There are no news about Apple acknowledging this problem yet, but we have contacted them and we update this article with whatever they say.

This is the second big breach in macOS Keychain’s security, which already suffered another serious vulnerability back in September 2017. That opening was closed by Apple, but this one hasn’t yet — and it may not be patched for quite a bit of time.

The reason: Henze is protesting Apple’s lack of security bounties for macOS. While Apple offers rewards to people who find hacking vulnerabilities in iOS, it doesn’t offer the same program for macOS computers. Henze thinks this is dumb and unfair — not to mention indicative of Apple’s lack of serious commitment to their computer OS’ security — and therefore has decided not to share the bug procedure, calling others to do the same.

Establishing security hole bounty programs is a regular practice in the computer industry because it promotes increased security, giving a lot of smart people a reason to invest their time in finding problems. Even Elon Musk’s Tesla has such a program in place to increase the security of his internet-connected electric cars.

Jesus Diaz

Jesus Diaz founded the new Sploid for Gawker Media after seven years working at Gizmodo, where he helmed the lost-in-a-bar iPhone 4 story and wrote old angry man rants, among other things. He's a creative director, screenwriter, and producer at The Magic Sauce, and currently writes for Fast Company and Tom's Guide.

  • verndewd
    no solution? i mean there is but you didnt offer one anyway i DO have a solution first is the nsa guidelines on mac use second, is learning some terminal commands and installing powerful security programs

    dscl . list /Users | grep -v "_\|nobody\|root\|daemon"
    finds any hidden accounts use this after the next command

    sudo defaults write /Library/Preferences/ Hide500Users -bool NO
    disallows hidden accounts to be hidden

    defaults read /Library/Preferences/
    Login window data

    tail -F /var/log/system.log
    follows everything the system is doing, This is how i found the recent google zero day exploit before google did. And it was a brash assumption based on resources and google update timing.

    kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}' | open -ef
    shows running kexts programs

    sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
    shows launch demons
    sudo /System/Library/CoreServices/RemoteManagement/ -deactivate -configure -access -off
    turns remote access off at bootsudo ifconfig en0 ether openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' server usage not osx
    essentially an ipconfig type command that reveals local information
    Here are your port informations
    Well Known Ports: 0 through 1023.

    Registered Ports: 1024 through 49151.

    Dynamic/Private : 49152 through 65535.

    sudo nmap -sV -Pn --script=http-malware-host 192.168.0.x (your IP address)
    incorrect osx usage some reading required

    sudo killall -HUP mDNSResponder;sudo killall mDNSResponderHelper;sudo dscacheutil -flushcache
    DNS flush

    launchctl list |grep mdworker
    reveals mdns data
    . You need to do insane amounts of research on these. but in the end sudo tcpdump -n -p -s is most all of what you need to know youre being hacked..
    I havent added a wireshark part to my regimen yet but you should.

    Then you need a mac os firewall front end, any decent one isnt a fire wall you dont need a literal fire wall you need control over the power of the unix framework behind osx.
    murus, icefloor and little snitch.
    icefloor is said to be good but murus is said to be better, I tried little snitch and was impressed. But the general consensus is murus is better. Little snitch does geo location, but with hackers thats useless.
    Nmap is too powerful you can get in serious trouble using it the wrong way as hackers use it for brute force attacks and ddos. But Nmap can reveal massive amounts on your local network. far the simplest and easiest thing to do is the NSA guidelines and use Murus. Murus will cost you a few weeks but the stuff ive posted was an effort made in a couple years. Especially with nmap.

    after all this reset your passwords

    Note: I purposefully used unix server code on some of these to force people to research
  • verndewd
    My murus profile . everything filtered or and the adaptive port blocking has added over 280 blocked private dynamic ports AND you can run tcpdump from murus.
  • verndewd Ideal hosting in turkey. By now i probably have several gigs of these port attacks after beginning my monitoring at 3:30 AM this and a 52 or 54.x.x.x. My machine is under attack BUT when i hear the fans start up I input this:

    sudo /System/Library/CoreServices/RemoteManagement/ -deactivate -configure -access -off

    This generally works to cut out any foot hold they may have gained, I am also behind a hotspot with added security, which really isnt all that helpful but its one step added for them to get through. Next step is a VPN which i am reluctant to do but probably will.

    Im not even exaggerating about this servers assault on my ports, at this point its probably tens of thousands of logs from the same IP. i thin my hot spot and fire tab are compromised as they are on the murus firewall logs as blocked incoming. But it worked for a day to mitigate attacks, using my set top box as a stage between my router in hotspot mode. :)

    I also monitor every web session with tcpdump, opensnoop and tail syslogs. At this point Murus adaptive port blocking is up to 250 private dynamic ports.

    11:06:51.264841 IP > Flags , seq 3805495142:3805496582, ack 574178429, win 130, options , length 1440: HTTP

    11:06:51.265301 IP > Flags , seq 3805496582:3805498022, ack 574178429, win 130, options , length 1440: HTTP

    11:06:51.265358 IP > Flags , ack 3805498022, win 609, options , length 0

    11:06:51.269811 IP > Flags , seq 3805498022:3805499462, ack 574178429, win 130, options , length 1440: HTTP

    11:06:51.269819 IP > Flags , seq 3805499462:3805500902, ack 574178429, win 130, options , length 1440: HTTP

    11:06:51.269821 IP > Flags , seq 3805500902:3805502342, ack 574178429, win 130, options , length 1440: HTTP

    11:06:51.269823 IP > Flags , seq 3805502342:3805503782, ack 574178429, win 130, options , length 1440: HTTP

    11:06:51.269826 IP > Flags , seq 3805503782:3805505222, ack 574178429, win 130, options , length 1440: HTTP

    11:06:51.269828 IP > Flags , seq 3805505222:3805506662, ack 574178429, win 130, options , length 1440: HTTP

    11:06:51.269830 IP > Flags , seq 3805506662:3805508102, ack 574178429, win 130, options , length 1440: HTTP

    11:06:51.269928 IP > Flags , ack 3805500902, win 519, options , length 0

    11:06:51.269960 IP > Flags , ack 3805503782, win 429, options , length 0

    11:06:51.269992 IP > Flags , ack 3805506662, win 339, options , length 0

    11:06:51.270297 IP > Flags , seq 3805508102:3805509542, ack 574178429, win 130, options , length 1440: HTTP

    11:06:51.270350 IP > Flags , ack 3805509542, win 249, options , length 0

    11:06:51.270755 IP > Flags , seq 3805509542:3805510982, ack 574178429, win 130, options , length 1440: HTTP

    11:06:51.271229 IP > Flags , seq 3805510982:3805512422, ack 574178429, win 130, options , length 1440: HTTP

    11:06:51.271268 IP > Flags , ack 3805512422, win 159, options , length 0

    11:06:51.271701 IP > Flags , seq 3805512422:3805513862, ack 574178429, win 130, options , length 1440: HTTP

    11:06:51.272174 IP > Flags , seq 3805513862:3805515302, ack 574178429, win 130, options , length 1440: HTTP
  • verndewd
    sudo find / -user 502 -exec chown camf {} \;
    to repair permissions, fyi murus added 100 ports today
  • verndewd
    sudo diskutil resetUserPermissions / id -uSystem wide permissions reset

    ps -A | grep Remote
    Gather remote session info

    killall "Remote Desktop"
    Kill remote desktop

    sudo launchctl unload /System/Library/LaunchDaemons/
    Kill screen sharing Out put should be service not foundon both the above commands.

    ls -la /Users
    System wide users info

    dscacheutil -q group

    Group info

    dscl . list /Groups GroupMembership
    Members of groups

    sudo fs_usage | grep dev
    File system usage in the dev folder

    sudo fs_usage -f network
    File system use on the network
    Both are live logs