Amaya Toman Linuz Henze, a security researcher, shared his Twitter video demonstrating a security flaw in the macOS operating system. The mentioned bug makes it possible to gain access to passwords stored in the Keychain, specifically to items in categories Login and System.
Henze also commented on the bug bounty program that Apple runs. In his own words, he is frustrated that the program specializes exclusively in the iOS operating system and does not focus on macOS. In protest at Apple's handling of bugs in its systems and their reporting, Henze decided not to officially inform the company of his findings.
Henze has already managed to uncover more than one bug in the iOS operating system in the past, so his words can be considered trustworthy and true. It is not necessary to obtain administrative privileges to carry out the attack, and access to passwords in Keychain on Mac can be obtained even on computers with activated system integrity protection. However, the iCloud keychain is not affected by the error because it stores passwords in a different way. It is theoretically possible to defend against the error by securing the keychain itself with one more password, but this is not an option that would be available by default, the whole process is quite complex and as a result leads to numerous verification dialogs during work on the Mac.
Source: 9to5Mac
Apple is in the ass. Long live the new emoji. One day a 14-year-old boy discovers a brutal error in FaceTime. Now straight to Keychain. It almost looks like it's generating passwords, watching the hash program encode it, hashing it, and getting the result.
What about security, especially since we have a politically correct emoji and a printed rainbow flag on the Apple website on the right day. That's the priority now!