macOS High Sierra Vulnerability Allegedly Allows Malicious Third-Party Apps to Access Plaintext Keychain Data

[BWhaler]

After reading some developers’ thoughts on High Sierra, my Spidey Senses have been telling me to wait until .1 or .2 before I update.

All of the quirks of this launch reinforce this. It just feels like Apple is behind the ball across the board this time around.

What are others finding who have already upgraded?

 

[nwcs]

This isn’t a real big deal. Even if a developer’s app is signed it doesn’t mean they couldn’t do something surreptitious with keychain. All this means is that 1Password, or similar, is still the best choice.

 

[BWhaler]

Wasn’t this supposed to be the “bug fixing” release when Apple made everything solid?

 

[Unregistered 4U]

Viruses and malware have been distributed via well-known trusted apps before, such as Handbrake. Now what?

If you’re running something from outside the App Store, it’s inferred that you trust the source of the content. If you are compromised as a result, then your trust with that source is broken. Well, AND you’re compromised now. It could happen with Sketch, with Rogue Amoeba, with any of them. The user accepts the responsibility once they bypass GateKeeper.

 

[chucker23n1]

How is he a jerk ? He made YOU aware of an issue, which means YOU can hold off installing the software. Blame Apple, not him !

He made everyone aware of the issue, possibly without giving Apple time to fix it. Thus, he exposed people.

 

[BootsWalking]

If you’re running something from outside the App Store, it’s inferred that you trust the source of the content. If you are compromised as a result, then your trust with that source is broken. Well, AND you’re compromised now. It could happen with Sketch, with Rogue Amoeba, with any of them. The user accepts the responsibility once they bypass GateKeeper.

Blaming users for a critical OS vulnerability doesn't make much sense, especially considering the entire reason for having an industry-standard platform is to encourage third-party app development.

 

[lostngone]

How is he a jerk ? He made YOU aware of an issue, which means YOU can hold off installing the software. Blame Apple, not him !

Apple needs to fix this, however mistakes happen. It is common courtesy to go to Apple(or any software company) with what he had and first ask how long they need to fix the issues before he releases his findings OR at least tell them he going to release the information in X days. Unless he just found this bug today it is distasteful that he waited until the public release to disclose it.

 

[raghu8912]

Would have been great if he contacted Apple before the OS was released. Just looking for attention. Jerk

I thought unwritten rule was to share details with developer first & give them 30 days to fix it then release the information to public.

 

[eric_n_dfw]

I thought unwritten rule was to share details with developer first & give them 30 days to fix it then release the information to public.

Do we know that they didn't do that?

 

[stevie grant]

Would have been great if he contacted Apple before the OS was released. Just looking for attention. Jerk

You're pathetic.
[doublepost=1506368532][/doublepost]

If he did contact Apple, surely he can provide a disclosure timeline. When did he tell them? When, if at all, did they respond? How much time did he give them? When did he decide to no longer wait and instead publish the vulnerability?

Everything else is irresponsible.

Yeah. He's irresponsible.

Not the corporation with billions of dollars and countless employees.

 

[Jeremy1026]

Would have been great if he contacted Apple before the OS was released. Just looking for attention. Jerk

Looking for a paycheck. In another screenshot I saw he had something like "bug bounty program ($$$)" on the screen with the dump running.

 

[WolfSnap]

Software that has access to userland has access to userland. Wow! Such security breach!

 

[eric_n_dfw]

 

[Cougarcat]

View attachment 721020

/thread

 

[MNJohn]

Great, another half-baked product release

 

[catportal]

You’re talking about a sandboxed app. This app is junk off the internet. It could do literally anything your user creds have the power to do.

Even non sandboxed app should require 'admin' privileges (or sudo), prompting your user password.

 

[Cougarcat]

Great, another half-baked product release

It's not High Sierra specific, it's everything: https://twitter.com/patrickwardle/status/912392633909047296

 

[jlseattle]

Luckily I rarely download anything outside of the app store. I do take updates from Adobe and other well known companies. I think this is a good general reminder about downloading software and understanding/trusting the source of that software. Know the company you are downloading from and make sure they are a reputable company with a solid customer history.

It would be nice to have a log of applications that access the keychain and what they access. But also, would be nice to restrict access to the keychain for only your app (storing to and retrieving from) but then that is it. This goes for traveling to less traveled websites. Keep your travels to known websites. Helps reduce the amount of malicious attacks/information gather you get.

 

[Leo90]

No update for me then, at least for a while. What is going on with Apple’s software quality control?

 

[HallStevenson]

He made everyone aware of the issue, possibly without giving Apple time to fix it. Thus, he exposed people.

You are presuming the bad guys aren't already aware of this issue. It exists in High Sierra, Sierra, and so on... Seems Apple has had years to find it and fix it !

 

[DblHelix]

1. Would have been even greater if Apple had ppl who found these kind of bugs themselves before release.
2. You don't know if he found this yesterday. But sure hate on the guy who might have prevented your bank account password from ending up in the wrong hands. Jerk.

Well, you don’t protect people by releasing the exploit to the public. You give the offending party time to correct and then shame them if they dont

 

[PBG4 Dude]

Apple didn't fix the green button issue either, it still makes apps full screen and for some reason hides essential things like the dock and menu bar.

That’s because option-clicking the green button does what you ask.

 

[chucker23n1]

You are presuming the bad guys aren't already aware of this issue. It exists in High Sierra, Sierra, and so on... Seems Apple has had years to find it and fix it !

We're still finding security issues in software from 1989. Doesn't mean we can't disclose responsibly.

 

[eric_n_dfw]

Another answer to a question posted here:

 

[Apple_Robert]

Would have been great if he contacted Apple before the OS was released. Just looking for attention. Jerk

Patrick says he did contact Apple as soon as he found it.

I did! pretty much as soon as I found the bug

...along with a detailed description and even PoC exploit code

patrick wardle added,