KeySteal exploit attacks MacOS keychain to take all your passwords

An 18-year-old cybersecurity researcher in Germany reportedly developed the exploit.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read

An exploit called KeySteal can access your passwords in your Mac's keychains.

Sarah Tew/CNET

A malicious app running on your Mac could steal your cache of passwords, a teenage security researcher has found.

Calling his exploit KeySteal, Linus Henze demonstrated on YouTube how the attack would work. It takes advantage of a flaw in the code that runs a Mac's internal stores of passwords, called keychains. As the malicious application works, it pulls up a list of passwords for apps that commonly interface with computers, like Facebook and Twitter.

Henze, who tweeted out the YouTube demonstration on Sunday, is 18 years old and lives in Germany, he told CNET from his twitter account.

"Normal Mac users should care about this flaw because most Apps store passwords inside the keychain (Online Banking Apps for example) and with my Exploit attackers are able to have access to all these passwords," Henze told CNET in a direct message on Twitter.

Apple security researcher Patrick Wardle said he's seen the exploit up close and can confirm it works. But to target you, hackers first have to get you to run malicious software on your Mac, which is a "high prerequisite," Wardle said.

Still, the results would be very useful for any hacker who succeeded. Instead of maintaining an unauthorized presence on your computer with malware, they could simply get all of your login credentials and then delete the malicious program. Then they could log back in to your accounts legitimately.

"All you need is the password," Wardle said.

Apple didn't provide a comment for this story.

The exploit can access passwords in the "login" and "System" keychain, and it affects Macs running Apple's Mohave operating system (or any MacOS released prior to that), Henze said.

Henze said he's declining to give Apple details of his malicious code because the company doesn't pay researchers when they find flaws that hackers can exploit. Wardle echoed that position, saying the best way for Apple to ensure that the highly sensitive keychain is secure would be to encourage security researchers to find flaws by paying them.

That doesn't leave you totally vulnerable to this flaw, though. Hackers would still need to implant malicious software on your computer. And even though Henze has discussed the flaw publicly, he hasn't told potential hackers all the steps they'd need to take to re-create his malicious app.

If you're still concerned, you can manually lock your Mac's keychains. To do that, you find the spotlight search bar by hitting command + space. Type in "keychain access" and select the program that comes up. Then in your top right screen, right click on the menu item that says "login." Select "lock keychain login" from the drop down menu that appears.

The only problem? You'll have to go back and manually unlock your keychain if you want to allow apps to access it. So for now, you should only consider this if you think of yourself as a high value target for hackers.

First published Feb. 6, 5:30 p.m. PT
Update, Feb. 7 at 11:55 p.m.: Adds comment from Linus Henze.

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad services that will change your life.