huh? where did he enter his password in the demo? the whole thing looks pretty scary/legit to me...
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
macOS High Sierra Vulnerability Allegedly Allows Malicious Third-Party Apps to Access Plaintext Keychain Data
- Thread starter MacRumors
- Start date
- Sort by reaction score
huh? where did he enter his password in the demo? the whole thing looks pretty scary/legit to me...
He doesn't owe Apple anything. Just like Apple doesn't owe him anything. He did them a favour.
There are zero day security bugs everywhere, even in decades old code that haven't been discovered yet. Welcome to reality!
How do you know this doesn't affect every version of macOS? Just because this guy proved it in High Sierra doesn't mean this vector isn't available in Sierra, El Capitan, Yosemite, Mountain Lion, Lion, Snow Leopard, Leopard, Tiger, Panther, Jaguar, Puma and Cheetah.
No, sir. He just didn't sign his rogue app with a developer key. If he signed it, they'd run on a default, vanilla system. Signing the app does not mean Apple has verified the contents of the app.
I just searched my keychains for a known password I have in plain text, found nothing, keychain is encrypted so I think something is fishy here.
If the code is decades old, it's not technically zero-day.
App should only be able to see passwords associated with it. Should be a secure key exchange between app and the keychain, should NOT be able to access other app's data. Basic security 101.
Zero-day means you have zero days' time from the day the vulnerability is disclosed to protect yourself. You're immediately affected.
The video doesn’t show the step where you have to explicitly allow OSX to install external apps. Which requires you to type your password. But you only have to do this once, not for every app.
To enable a non-authorized app to run, you have to enter your password. If you have made it once, the system remembers it, meaning he must have authorized the app before.
Only if you purposefully download and run some random malware. This is being totally overblown. The easy and inevitable answer for Apple is to disallow apps that don’t come from the App Store or a signed developer. If you’re downloading and installing random crap from unsigned developers, you’re at risk. Otherwise nothing to see here.
That's true. But the verification process should find these kind of things, right?
Hmmm, or maybe not. They're only humans after all!
Yes, this is one of the biggest misunderstandings and flaws of GateKeeper. Apps distributed through Mac App Store is obviously a lot more secure, which goes through more stringent review process and is distributed through Apple's server (instead of developer's website, which could get hacked).
You’re talking about a sandboxed app. This app is junk off the internet. It could do literally anything your user creds have the power to do.
And Apple can do something to ensure that anything purchased through the App Store CAN’T access another app’s data. Basic security 001 is don’t install applications from outside the App Store. There’s no application that NOT on the Apple Store that has to follow basic security practices. NONE of them. In fact, some exist outside the store BECAUSE what they want to do as a basic function is something that Apple doesn’t allow. Specifically for this reason.
I still say that anytime a security exploit has to start with killing your front door guard and leaving the door wide open (bypassing GateKeeper) is not so much of a security exploit than a brain exploit. Going by this guy’s argument, the fact that I can call you on the phone to go into keychain and give me your password is asecurity exploit.
LOL, MS has no interest or desire. This isn't 1990, and the PC wars are long over.