macOS High Sierra launch blighted by password-stealing keychain 0-day vulnerability
Apple has only just released macOS High Sierra, but before the update was even out of the door, a 0-day vulnerability had been discovered. A flaw in the Mac keychain makes it possible for malicious applications to steal the contents of the keychain, including plaintext passwords. It affects not only High Sierra, but also older version of macOS.
The way keychain works means that it should not be possible for the keychain to be accessed without providing the master password, but the vulnerability bypasses this requirement. The problem was discovered and demonstrated by security researcher Patrick Wardle from Synack, who is also a former NSA hacker.
The exploit does not require root access, and it could be used to extract passwords before sending them off to a remote server. Speaking to Bleeping Computer, Wardle said: "The exploit works by exploiting an implementation flaw in the OS. It's macOS only (not iOS), but I believe it affects all recent versions of the OS. I haven't tested it with apps from the App Store, but any other code on the box (i.e. it's not a remote attack) can access and dump the user's Keychain."
Wardle shared a video demonstrating the exploit:
In a statement given to Ars Technica, Apple said:
macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents.
Wardle has reported the bug to Apple, and the company is believed to be working on a patch. The security researcher says:
Apple marketing has done a great job convincing people that macOS is secure. And I think that this is rather irresponsible and leads to issues where Mac users are overconfident and thus more vulnerable. My goal is simply to raise awareness.
As a passionate Mac user, I'm continually disappointed in the security of macOS. I don't mean that to be taken personally by anybody at Apple -- but every time I look at macOS the wrong way something falls over. I felt that users should be aware of the risks that are out there.