macOS High Sierra Vulnerability Allows Apps To Steal Passwords From Keychain

Apple has released macOS High Sierra as a free update to all owners of Mac computers, but it looks like it has a serious vulnerability issue. The security flaw within the new version of macOS can allegedly allow a hacker to steal usernames and passwords stored in the user’s Keychain.

The vulnerability inside macOS High Sierra was first reported by ex-NSA analyst Patrick Wardle on Twitter. He claims that malicious third-party apps can access plaintext Keychain data with this vulnerability. This means hackers could potentially steal people’s usernames and passwords without the need of the master password. Keychain is Apple’s own program where users can store all their passwords in iCloud.

In order for this exploit to work, users will have to download a malicious third-party app from an unknown source, according to MacRumors. This is something that Apple actually discourages. The tech giant prefers that users should almost always download apps from the Mac App Store. Apple doesn’t even allow directly installing apps from an unknown/unrecognized developer. Users would need to override or allow macOS’s security settings in order to do that.

Wardle demonstrated how the exploit works by making his own proof-of-concept app called “keychainStealer.” The app will be able to run a malicious code on a Mac computer which can infiltrate and extract all of the user’s stored passwords in their Keychain. In his video demonstration, the app was able to access plaintext passwords stored in the Keychain for Facebook, Twitter and Bank of America.

“Without root privileges, if the user is logged in, I can dump and exfiltrate the keychain, including plaintext passwords. Normally you are not supposed to be able to do that programmatically,” Wardle explained to Forbes. “Most attacks we see today involve social engineering and seem to be successful targeting Mac users. I'm not going to say the [keychain] exploit is elegant - but it does the job, doesn't require root and is 100% successful.”

Although Wardle only showed the new vulnerability in action on macOS High Sierra, he believes that older versions of Apple’s operating system might also be affected. He hasn’t published the full exploit code for the new vulnerability, but he predicts Apple will be fixing this issue in an upcoming software update.

“MacOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents,” Apple told CNET in response to this new exploit.

Wardle has been critical of Apple’s operating system over the last few years. Earlier this month, he also reported that macOS High Sierra’s new Secure Kernel Extension Loading (SKEL) feature is broken, demonstrating that it doesn’t fully prevent malicious apps from bypassing Apple’s security feature.

“As a passionate Mac user, I'm continually disappointed in the security of macOS," he said. "I don't mean that to be taken personally by anybody at Apple -- but every time I look at macOS the wrong way something falls over. I felt that users should be aware of the risks that are out there I'm sure sophisticated attackers have similar capabilities,” Wardle told ZDNet. “Apple marketing has done a great job convincing people that macOS is secure, and I think that this is rather irresponsible and leads to issues where Mac users are overconfident and thus more vulnerable.”