New Mac Hack Can Steal Your Passwords: What to Do Now

MacOS has a new serious vulnerability that essentially leaves your computer’s passwords wide open to be stolen by hackers. Its name: KeySteal.

Credit: Laptop Mag

(Image credit: Laptop Mag)

Here you can see it in action:

First reported by technology publication Heise Online, the vulnerability opens a door to steal all passwords in your Mac’s “login” and “System” keychain, which leaves you wide open to attack even if you have security measures like Access Control Lists and System Integrity Protection using Apple’s latest T2 security chip.

The KeySteal exploit was discovered and announced by security researcher Linus Henze, a self-declared macOS and iOS fan who has a record of discovering other vulnerabilities in the past. He is also a member of Sauercloud, a German computer security team that participates in hacking Capture The Flag competitions. In other words: his exploit is most probably not made up, but very real.

The only way to protect your computer’s keychain is to lock the login keychain with an extra password, which will result in macOS asking you for that password each time you try to do almost anything with your computer.

Fortunately, the iCloud keychain is not affected. There are no news about Apple acknowledging this problem yet, but we have contacted them and we update this article with whatever they say.

This is the second big breach in macOS Keychain’s security, which already suffered another serious vulnerability back in September 2017. That opening was closed by Apple, but this one hasn’t yet — and it may not be patched for quite a bit of time.

The reason: Henze is protesting Apple’s lack of security bounties for macOS. While Apple offers rewards to people who find hacking vulnerabilities in iOS, it doesn’t offer the same program for macOS computers. Henze thinks this is dumb and unfair — not to mention indicative of Apple’s lack of serious commitment to their computer OS’ security — and therefore has decided not to share the bug procedure, calling others to do the same.

Establishing security hole bounty programs is a regular practice in the computer industry because it promotes increased security, giving a lot of smart people a reason to invest their time in finding problems. Even Elon Musk’s Tesla has such a program in place to increase the security of his internet-connected electric cars.

Jesus Diaz

Jesus Diaz founded the new Sploid for Gawker Media after seven years working at Gizmodo, where he helmed the lost-in-a-bar iPhone 4 story and wrote old angry man rants, among other things. He's a creative director, screenwriter, and producer at The Magic Sauce, and currently writes for Fast Company and Tom's Guide.