Today, Apple began rolling out its latest version of macOS, known as ‘High Sierra’. The update aims to give Mac users several new and useful features but unfortunately, it seems that the update also brought to light a flaw in Keychain- Apple’s program to store and share passwords across multiple devices.
It turns out that unsigned apps running on High Sierra and earlier versions of macOS can access Keychain and display usernames and passwords in plain text without requiring the user to enter their master password. This zero-day flaw was discovered by ex-NSA analyst, Patrick Wardle, who tweeted it out and shared a video of the exploit.
To show off the exploit, Wardle created an app called ‘keychainStealer’. Speaking with Forbes, the former NSA employee explained that it isn’t difficult to get malicious code running on macOS. In order for this particular exploit to work, all someone needs to do is download a third-party app from an ‘unknown source’, essentially meaning anyone not directly approved by Apple.
If a user installs an app from an unknown source, then a hacker could “dump and exfiltrate the keychain, including plain text passwords” all without root access. As Wardle puts it “normally you are not supposed to be able to do that programmatically”.
Right now, it is expected that Apple will fix this exploit in a patch relatively soon. Since this zero-day exploit also affects older versions of macOS, this isn’t something that should stop you from upgrading.
KitGuru Says: Apple tends to take device security and user privacy very seriously, so this exploit will likely be patched out within the next couple of days. Are any of you currently using a Mac? Have you updated to High Sierra yet?