Incredible.
Not the bug. Not Apple.
The comments. They are incredible, to say the least. But to each their own.
Yes, Sierra is vulnerable as well. Probably others (I wouldn't stretch it to all others).
No, signed apps do not protect from this. They simply are allowed to run without asking to explicitly permit it. This Patrick clearly stated in the first flow of comments to his tweet that he presented the non-signed case to show how low the bar is.
Since there is no real PoC or low level technical digression, it's still a 0-day. If it is and he really contacted Apple and a fix is coming, it's better for people to know. If somebody knew before him, and the exploit has been circulating before, it's difficult to imagine that people posting nonsense in macrumors forums (or wherever) could really have discovered their credentials been exfiltrated like that.
Between 1995 and 2001, (real) responsible disclosure was a reality. Bugs were discussed, exploits were analyzed and some of the blackhat community actively participated in the discovery/disclosure/resolution process. Then, when the public nonsense began to talk about (their) ethics, this process slowly died and it began the era of friday's advisories - void of any real technical discussion - and of automatic updates. The blackhat community readily began to, again, work in the dark without really disclosing. 0-days began to, again, stay in that state for, potentially, years. Look a years-long window of vulnerability and imagine it deteriorating your private data and life. You will probably change your idea about this guy. At least, a little bit, maybe sparing the other us about jerks, ethics and technical inaccuracies (that everyday let the bad guys behave as such and with profit).
Sorry for being rude. It's not you. This is for looking just at the finger, pointing to the moon.
