It is not uncommon for dangerous security holes to be discovered in Apple's operating systems. Apple recently had to deactivate its Group Facetime service because it was possible to eavesdrop on contacts.
When a major software update is released, developers may discover a security hole in the current software version. Now macOS 10.14.3 has been affected. Security researcher Linus Henze has discovered a hole in Apple's keychain on macOS 10.14.3 and published it on YouTube. Here he demonstrates how the bug works - but for a specific reason he did not want to give any further details.
Reading passwords without access rights
In the video, Henze demonstrates how a tool could easily read the entire password collection. The prerequisite: The tool must be running on the respective Mac. The program can be hidden in an app and does not even need access rights to the keychain itself - it strikes when the user unlocks the Mac keychain themselves.
Not the first time
The security researcher did not provide any precise details - nor does he want to explicitly disclose the error to Apple. He justifies this stance by saying that Apple does not have a bug bounty program for macOS - which all other manufacturers do.
Apple itself only has such a system for iOS, but it is not particularly successful. A similar error was discovered in Apple's keychain on macOS in 2017 - Henze recalls. An exact assessment of the error cannot be made at present. This will probably be possible soon, as other security researchers are sure to analyze the problem and more information becomes available.
