Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
macOS High Sierra Vulnerability Allegedly Allows Malicious Third-Party Apps to Access Plaintext Keychain Data
- Thread starter MacRumors
- Start date
- Sort by reaction score
What about when a legitimate app provider gets hacked on the server side and their binary gets replaced with malware? It happened to the Transmission team.
I wonder if he reported this to Apple and then waiting for the public release before announcing it. Apple likely had the bug report and possibly ignored it or irresponsibly released High Sierra knowing this bug exists.
What is not clear is does this ONLY affect High Sierra, or does it affect earlier versions of macOS, as well?
I've been trusting my info to Keychain for 16 years, so this is a big deal to me.
It’s more that Apple’s software is getting progressively worse. Even their internet services have started being less reliable over the past 12 months or so, in my experience.
Why are some of you acting like security vulnerabilities have never happened before this? This isn't the end of the world, and if you've followed Apple's advice (which is plastered all over the place), you won't have anything to worry about. There's a reason Apple makes you jump through loops to get unverified developers' apps on your machine.
Try to installs apps from the App Store. If you can't, trust the developers who make the app or don't use it at all. That is basic information security.
Try to installs apps from the App Store. If you can't, trust the developers who make the app or don't use it at all. That is basic information security.
“For this vulnerability to work, a user needs to download malicious third-party code from an unknown source, something Apple actively discourages with warnings about apps downloaded outside of the Mac App Store or from non-trusted developers. In fact, Apple does not even allow apps from non-trusted developers to be downloaded without explicitly overriding security settings.”
So basically, the ‘issue’ is the user, not macOS. Anyone affected by this ‘issue’ shouldn’t be using computers in the first place.
So basically, the ‘issue’ is the user, not macOS. Anyone affected by this ‘issue’ shouldn’t be using computers in the first place.
Do people realize he's the fellow behind BlockBlock and ransomwhere? etc at Objective-See? it's not like he's some random Mac-basher.
No, it's the OS.
There are plenty of legit apps outside Apple's toy store.
No app should ever have access to this data regardless of its origin.
Unfortunately, this isn't realistic. There are many applications that simply cannot abide by apple's rules.
Thankfully macOS isn't locked down like iOS, otherwise macOS apps would be one trick pony like iOS. Past few companies I've worked at have all used Macs. We 100% relied upon apps that were not in the app store. We'd have to use windows or linux.
The day I'm unable to use non Mac appStore for personal use on macOS, that would be the last day of using macOS; macOS would render itself utterly useless.
Thankfully macOS isn't locked down like iOS, otherwise macOS apps would be one trick pony like iOS. Past few companies I've worked at have all used Macs. We 100% relied upon apps that were not in the app store. We'd have to use windows or linux.
The day I'm unable to use non Mac appStore for personal use on macOS, that would be the last day of using macOS; macOS would render itself utterly useless.
Last edited:
...of Applications that appear on the App Store. Every valid developer that has their eyes set on a Non-App Store model has to include instructions on their website telling people to do something that makes their system less secure for a moment to let their app do what it needs to do.
Those engaging in social engineering are doing the same thing, trying to get you to manually lower the security of your system so that they can do what they need to do. In both cases, it’s the users fault if they can now use Sketch OR if they just sent all their account and financial information to a scammer.
I never upgrade right away as a general rule. Nor do I ever bother looking for apps to DL outside of the app store. Definitely not about to start.
What are the chances that this vulnerability was already exploited? Slim to none I would say. However, I was already thinking of doing a clean install because of APFS so maybe this will be a good reason and don't use non App Store apps afterwards. Secondly (perhaps a dumb question), would installing Anaconda (within the terminal without using admin rights) be a risk?
Patrick says he did contact Apple as soon as he found it.
I did! pretty much as soon as I found the bug...along with a detailed description and even PoC exploit code
patrick wardle added,
Fair enough, but when did he notify them? Today? Yesterday? Last Week? It is normal for companies not to respond to these submissions(at least on the record) for many reasons but how long did he give Apple to fix this issue before going public? If we find out it was 2-3 months ago this is fair.
To my knowledge, Patrick has not given a specific timeline as to when he acted.
Very true, exploiting companies to get malicious code into official releases is increasing, the most famous example probably being when Juniper Networks firewall code was found to have been compromised: https://www.wired.com/2015/12/junip...kdoors-show-the-risk-of-government-backdoors/
Occurrences such attacks are accelerating:
2009: Express Lane (CIA)
2015: League of Legends infected with PlugX, Juniper Networks (see above)
2016: Transmission (twice)
2017: Kingslayer, Operation WilySupply, Handbrake contains Proton RAT, PetyaWrap, ShadowPad
Apple's advice is only use software that Apple approves of, sells you, and takes a 30% cut of.
If you think it's okay to use a computer that way, the iPhones are over there ---->.
We differentiate between bugs and vulnerabilities.
If you know my posts, you will see that I don't make excuses for apple
He reported this to Apple earlier this month, according to this. http://www.zdnet.com/article/apple-macos-high-sierra-password-vulnerable-to-password-stealing-hack/
I know I've entered my admin password to install software before. Heck, Adobe makes you do it for the flash plugin. I'm sure I've had to dl software outside the app store on many occasions (e.g., printer software, steam, malwarebytes, etc...). Having to do this doesn't make the user an idiot. It simply means not every valid SW provider gets identified.
The vulnerability is effectively the same as contacting a user and asking them to email you your passwords, given all that would need to occur to install the exploit.
[doublepost=1506374848][/doublepost]
Yet you know what you are installing; you can't always save a user from themselves.
[doublepost=1506374955][/doublepost]
No reason to use anything outside the App Store or not from a trusted vendor unless it's something I've written myself.
[doublepost=1506374848][/doublepost]
Yet you know what you are installing; you can't always save a user from themselves.
[doublepost=1506374955][/doublepost]
No reason to use anything outside the App Store or not from a trusted vendor unless it's something I've written myself.
For the majority of OSX users (you know, the ones that surf the web, check email, and play a few games) it’s ENTIRELY realistic. And it’s not like what Apple asks from Developers is onerous, it’s that what the developers have decided to do as a business model is do something that generally shouldn’t be done.
Like Rogue Amoeba and Audio Hijack. I love it and use it every now and again, but, no, you shouldn’t insert a third party into the trusted audio stream and send the output elsewhere (for a malicious application, “elsewhere” could be some pretty bad places). However, there are people that want to do this and are willing to pay money to reduce the security of their system for a moment (and TRUST that Rogue Amoeba hasn’t gotten hacked such that malicious code is in their delivery) for the ability to do so.
There will always be edge cases that means pro users will want to do things that make their systems less secure, BUT we as pro users already hold ourselves responsible for what happens when we make our systems less secure, right?
The Mac OS was available nearly 30 years before the concept of an "App Store" even existed.