One security researcher has demonstrated an exploit that could allow anyone to access saved usernames and passwords without administrator access. He won’t share the details with Apple, however, because there is no reward on offer.
Through its bug bounty program, Apple coughs up rewards when people discover serious iOS vulnerabilities. But the same mechanism does not extend to macOS. That’s why researcher Linuz Henze won’t reveal the details of a newly discovered flaw in Mojave.
However, Henze — who earned a good track record by identifying iOS problems — seems happy to show the world exactly what the vulnerability allows. And it’s not good.
KeySteal exploit steals Mac Keychain passwords
Using a program Henze calls KeySteal, he successfully captured usernames and passwords saved to the macOS Keychain without administrator access.
Read more at CultOfMac.com