Literally, at the beginning of January, Apple subtly joked about the security of Android smartphones, and a month later a serious vulnerability was discovered in one of Apple ’s services. We are talking about the ability to access passwords and credentials on Mac computers without administrator or superuser rights.
The vulnerability was discovered by security expert Linus Henze, who refused to share details with Apple in protest. He is dissatisfied with the fact that the reward program for finding vulnerabilities applies only to iOS, and not to macOS. It was in the desktop operating system that an error was detected that allows access to other people’s data.
On computers running the macOS Mojave operating system, Keychain Access is available to users, which stores passwords and credentials from various services and sites. To view them, you need to enter the security code, but Linus Henze found a way to bypass the restriction. He created a program capable of “pulling out” all the data from Keychain Access without entering the code, as well as administrator or superuser rights.
It is important to note that the vulnerability affects only the standard KeyChain application, whereas it does not apply to iCloud KeyChain. Apple has not commented on the situation.