Apple seems to be in trouble as a new and serious security vulnerability has surfaced on the internet. This security vulnerability affects macOS and leaves all the passwords stored on the operating system exposed to malicious apps. This new bug comes just days after the company patched the much talked about a security flaw in its Group FaceTime calling feature. Similar to the previous bug, this new bug was also discovered by a teenager. However, unlike the previous bug where the family of the teenager tried to get in touch with the company to report the problem, the teen who discovered this password bug has not disclosed any information to Apple.
The bug was initially reported by Forbes where the publication talked to the teenager and verified the bug. According to the report, the reason the 18-year-old from Germany, Linus Henze did not reveal any information about the bug the Apple is because of payment issues. Henze stated that “lack of payment for such research” that uncovered the security bug is the reason that led him to not share any information about the issue with the company. The report also confirmed that the latest version of MacOS is also affected by the vulnerability.
Watch: Apple MacBook Air 2018 Hands-on
Sharing details about the security flaw, Henze realized that he could make an app that could read the contents stored in the Apple “keychain”, a portion of macOS that stores all the important “private keys and passwords”. The app did not require any permission from the user to read such sensitive data or require any “special privileges”. This means that any regular app may be able to access all the important passwords that a user has stored on their macOS.
In case any user syncs their passwords across their iOS and macOS devices with the help of “keychain” then all their passwords are at risk. In the report, Henze stated, “Finding vulnerabilities like this one takes time, and I just think that paying researchers is the right thing to do because we’re helping Apple to make their product more secure.” The report also indicated that a possible quick fix to the problem till the time the company rolls out a patch is likely to set a master password on ‘keychain’.