macOS High Sierra Vulnerability Allegedly Allows Malicious Third-Party Apps to Access Plaintext Keychain Data

[MacRumors]

macOS High Sierra, released to the public today, could be impacted by a major security flaw that could allow a hacker to steal the usernames and passwords of accounts stored in Keychain.

As it turns out, unsigned apps on macOS High Sierra (and potentially earlier versions of macOS) can allegedly access the Keychain info and display plaintext usernames and passwords without a user's master password.

Security researcher and ex-NSA analyst Patrick Wardle tweeted about the vulnerability early this morning and shared a video of the exploit in action.

on High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext passwords)🍎🙈😭 vid: https://t.co/36M2TcLUAn #smh pic.twitter.com/pqtpjZsSnq - patrick wardle (@patrickwardle) September 25, 2017

For this vulnerability to work, a user needs to download malicious third-party code from an unknown source, something Apple actively discourages with warnings about apps downloaded outside of the Mac App Store or from non-trusted developers. In fact, Apple does not even allow apps from non-trusted developers to be downloaded without explicitly overriding security settings.

As demonstrated in the video above, Wardle created a proof-of-concept app called "keychainStealer" that was able to access plaintext passwords stored in Keychain for Twitter, Facebook, and Bank of America. Wardle spoke to Forbes about the vulnerability and said it's actually not hard to get malicious code running on a Mac even with Apple's protections in place.

"Without root priveleges, if the user is logged in, I can dump and exfiltrate the keychain, including plaintext passwords," Wardle told Forbes. "Normally you are not supposed to be able do that programmatically."

"Most attacks we see today involve social engineering and seem to be successful targeting Mac users," he added. "I'm not going to say the [keychain] exploit is elegant - but it does the job, doesn't require root and is 100% successful."

Wardle has not provided the full exploit code for malicious entities to take advantage of, and he believes Apple will patch the problem in a future update.

As Wardle has not released the full exploit code, it has not been double-checked by MacRumors or another source, so full details on the vulnerability are not known just yet.

Apple has not yet responded to requests for comment about the potential vulnerability.

Article Link: macOS High Sierra Vulnerability Allegedly Allows Malicious Third-Party Apps to Access Plaintext Keychain Data

 

[JackieTreehorn]

10.13.1 developer and public beta in 3, 2, 1.....

 

[bladerunner2000]

On release day. That's embarrassing.

 

[DblHelix]

Would have been great if he contacted Apple before the OS was released. Just looking for attention. Jerk

 

[wozmatic]

How much will money with this guy make for highlighting the vulnerability?

 

[yanki01]

lol, c'mon on day 1!!!!?!

 

[0003939]

10.13.1 developer and public beta in 3, 2, 1.....

"Apple seeds 10.13.1 Beta 1 to developers."

 

[JosephAW]

I hope that's not his Twitter password.

 

[0003939]

Would have been great if he contacted Apple before the OS was released. Just looking for attention. Jerk

2nd this. And I am using a few of his software. Must start uninstalling and look for an alternative.

 

[JosephAW]

Doesn't Apple do any testing with 3rd party apps? There's a whole universe of apps that is not in the AppStore that user install and purchase.

 

[ideal.dreams]

Well, I was looking forward to updating my MacBook Pro when I got home from work today but I guess I'll wait...

 

[sequential]

Would have been great if he contacted Apple before the OS was released. Just looking for attention. Jerk

1. Would have been even greater if Apple had ppl who found these kind of bugs themselves before release.
2. You don't know if he found this yesterday. But sure hate on the guy who might have prevented your bank account password from ending up in the wrong hands.

 

[applesith]

I'm still running El Capitan. I held off on Sierra until the first update but then never upgraded because I didn't need any features and now another year has passed by. Glad I get lazy with these.

 

[Rocko99991]

Would have been great if he contacted Apple before the OS was released. Just looking for attention. Jerk

And do their work for them? He is keeping them on their toes.

 

[AdonisSMU]

Apple pull it together sis.

 

[Bart Kela]

How much will money with this guy make for highlighting the vulnerability?

Nothing from Apple. This guy is actually lobbying Apple to create a macOS bug bounty "for charity" program.

Currently, Apple only offers limited bug bounties for iPhones and iPads.

 

[jun180]

Just downloaded the installer....and now its deleted.

I'm going to wait till 10.13.1 is out. I had a funny feeling that High Sierra might have issues with APFS, but this is news is much worse than expected!

 

[navaira]

I see a lot of people assuming he didn't contact Apple. Does he explicitly say that somewhere? All I see is "Apple has not yet responded to requests for comment". Because if he DID contact Apple and was ignored, he could have either waited for final version to check whether a fix was implemented, then notified general public immediately, or kept the information to himself and waited until tons of people get their computers hacked.

 

[chucker23n1]

1. Would have been even greater if Apple had ppl who found these kind of bugs themselves before release.
2. You don't know if he found this yesterday. But sure hate on the guy who might have prevented your bank account password from ending up in the wrong hands. Jerk.

If he did find it yesterday, he should have disclosed it to Apple and given them 90 days to fix it.

 

[carlsson]

OMG, to enable this software you have to enter System Preferences, answer YES on two dialogues, and also enter your password. Then it may STEAL your not encoded things stored in the keychain (by default everything is stored encoded). I think I'm going to Windows now. This is just too much!!!

/irony ended

 

[JosephAW]

I'm still running El Capitan. I held off on Sierra until the first update but then never upgraded because I didn't need any features and now another year has passed by. Glad I get lazy with these.

Me too, Still on El Captain on my Mac Pro. Maybe I'll stay on that, or just install 12.12.x Sierra for a year.

 

[s15119]

sigh. don't download junk, don't jeopardize your computer. Common sense is the best anti-virus.

 

[chucker23n1]

I see a lot of people assuming he didn't contact Apple. Does he explicitly say that somewhere? All I see is "Apple has not yet responded to requests for comment". Because if he DID contact Apple and was ignored, he could have either waited for final version to check whether a fix was implemented, then notified general public immediately, or kept the information to himself and waited until tons of people get their computers hacked.

If he did contact Apple, surely he can provide a disclosure timeline. When did he tell them? When, if at all, did they respond? How much time did he give them? When did he decide to no longer wait and instead publish the vulnerability?

Everything else is irresponsible.

 

[redscull]

What _can’t_ a non-sandboxed, unsigned application do though? If my login has the ability to see my keychain passwords (it does, and I can), shouldn’t I naturally expect any software running on my creeds has that power too?

 

[Cougarcat]

If he did find it yesterday, he should have disclosed it to Apple and given them 90 days to fix it.

Maybe, but at least this way he can let people know to hold off installing High Sierra.

Well, nerds who follow tech news, anyway.