German security researcher Linus Henze this week discovered a new zero-day macOS vulnerability dubbed „KeySteal,“ which, as demoed in the video below, can be used to get to all of the sensitive data stored in the Keychain app.
Henze appears to use a malicious app to extract data from the Mac’s Keychain app without the need for administrator access or an administrator password. It can get passwords and other information from Keychain, as well as passwords and details for other macOS users.
Henze has not shared the details of this exploit with Apple and says that he won’t release it because Apple has no bug bounty program available for macOS. [...]
Chinese security researcher Wish Wu was set to give a talk on hacking Face ID at the Black Hat Asia hacking conference in Singapore in March 2019, but at the request of his employer, he’s canceled the talk, reports Reuters.
His presentation, called „Bypass Strong Face ID: Everyone Can Deceive Depth and IR Camera and Algorithms,“ supposedly offered details on a way to get past Face ID on the iPhone X „under certain conditions.“
Curiously, the Wu says that his hack did not work on the iPhone XS and XS Max. Given that the three smartphones use the same Face ID system, it’s not entirely clear why a bypass method that works on the [...]
Apple today reminded Mac developers that it is encouraging them to have their apps notarized, meaning that the apps have been scanned by Apple and checked for malware and other security issues.
Notarization is not currently a requirement for apps distributed outside of the Mac App Store, but Apple says it will „more prominently highlight notarization status“ starting in the spring of 2019. And in an unspecified „upcoming macOS release,“ Apple will require any Developer ID-signed apps to be notarized.
When users on macOS Mojave first open a notarized app, installer package, or disk image, they’ll see a more streamlined Gatekeeper dialog [...]
In a statement issued Saturday evening, the U.S. Department of Homeland Security said it has „no reason to doubt“ the companies who denied this week’s Bloomberg Businessweek report about China tampering with servers manufactured by Supermicro.
”The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security [...]