Researcher finds macOS bug but won’t share details with Apple

He’s protesting Apple’s bug bounty policies.

A researcher has discovered an exploit that can expose passwords on macOS, but says he won't share details of the bug with Apple because of its bug bounty policies. Linus Henze posted a demo video of the KeySteal exploit this week. It seems to grab passwords from login and system keychains without requiring administrator privileges, with a simple click of a button. It works on the latest version of macOS Mojave, though it doesn't seem to affect items stored in iCloud's keychain.

Yet Henze won't help Apple patch the exploit because its bug bounty program only pays out to researchers for disclosing bugs on iOS and not macOS. "It's like they don't really care about macOS," he told Forbes. "Finding vulnerabilities like this one takes time, and I just think that paying researchers is the right thing to do because we're helping Apple to make their product more secure."

This is the second time in a couple of weeks that a teenager has unearthed an Apple security problem (Henze is 18). A 14-year-old tried to alert Apple about the Group FaceTime bug that allowed you to listen in to others before they answer the call. Apple said it will issue a fix for that this week, though it's unclear when it will repair the password exploit.