A major security vulnerability has been discovered in the newly released macOS High Sierra. The exploit can be used by an attacker to steal usernames and passwords stored in Keychain.
The vulnerability was first pointed by security researcher and former NSA analyst Patrick Wardle, who tweeted about the exploit early Monday morning. According to Wardle, certain unsigned apps on High Sierra (and possibly older versions of macOS) can reportedly access data stored within Apple’s Keychain platform — and that data is displayed as plaintext, even without a user’s system password. Waddle also shared a video showing the vulnerability in action (see below).
Waddle, for his part, created an example app he named “keychainStealer” to demonstrate the exploit. Using the app, he was able to access plaintext user login information for various accounts stored in Keychain — including Facebook, Twitter and Bank of America.
It’s worth noting that the exploit can only work if a user downloads an app with malicious code from a non-trusted source. Apple discourages these types of downloads and even blocks apps from unknown developers by default. A user can explicitly override the built-in security settings, however. And presumably, many popular apps from non-trusted developers would harbor malicious code. Wardle toldForbes on Monday that it isn’t too difficult to run malicious code on a Mac, even with Apple’s strict security platforms in place.
“Without root privileges, if the user is logged in, I can dump and exfiltrate the keychain, including plaintext passwords,” Wardle told the publication. “Normally you are not supposed to be able to do that programmatically.”
The researcher went on to add that most attacks today involve social engineering “and seem to be successful targeting Mac users.” He noted that his keychain exploit might not be “elegant,” but it doesn’t require root access and is successful 100 percent of the time.
In order to help prevent malicious attackers from taking advantage of the vulnerability, Wardle did not release the full exploit code. Because of that, however, exact details on the exploit aren’t currently known and haven’t been corroborated by any other source thus far. It’s also impossible to tell whether malicious entities have access to similar code, or if the vulnerability has been used in the wild.
Apple only just released its macOS High Sierra update to the public this morning. But with an exploit this dangerous, the company is likely to patch the problem in a future update — one that’ll likely come in the next few days. As of the writing of this article, the company has not responded to requests for comment.
If you haven’t downloaded macOS High Sierra, it might be smart to hold off until Apple addresses the issue. If you have, be extremely careful about the kind of apps you download. In fact, you should entirely avoid downloading or running apps from non-trusted sources until the vulnerability is patched.