Apple just released the latest version of macOS, dubbed High Sierra, but the OS has a critical flaw zero-day flaw that allows rogue applications to export passwords in plaintext. Worse, the issue isn’t limited to High Sierra (10.13) either, but appears to affect multiple previous versions of the operating system. The flaw was first spotted by Patrick Wardle, an ex-NSA employee who now works for the security research firm Synack.
Here’s how it works: macOS uses a password management system known as Keychain. Apple stores a great deal of sensitive information here, including various passwords, cryptographic keys, and credit card numbers. There’s nothing wrong with this approach, provided that the master data is itself kept secure. The problem (as you’ve likely guessed) is that this data is anything but secured.
Wardle writes that this attack appears to work on at least El Capitan, Sierra, and High Sierra, which means most Mac systems are going to be affected. The attack requires the end user to install a remote application before it can function, but this is less a barrier than you might think. Apparently even unsigned applications can trigger the vulnerability, and the payload can be delivered in a variety of ways, including web browsers or the hacked version of a legitimate software product (obviously Macs don’t run CCleaner, but the parallels are impossible to ignore).
While macOS doesn’t permit unsigned apps by default, signed applications can take advantage of this exploit as well–and signing an app only requires a membership in the Apple Developer Program, at $99 per year.
Not only can passwords be exfilitrated from the Keychain, they can be exfiltrated without even entering the master password. The video below demonstrates the attack:
Steal y0 (macOS) Keychain from patrick wardle on Vimeo.
When asked how users can protect themselves from this attack, Wardle writes: “As mentioned before, this attack is local, meaning malicious adversaries have to first compromise your mac in some way. So best bet – don’t get infected. This means run the latest version of macOS and don’t run random apps from emails or the web. Also, this attack requires that the keychain is unlocked. By default the keychain is unlocked when the user logs in. However, you can change the keychain password so it is not automatically unlocked during login, or (via the Keychain Access app) lock the keychain while you are not using it.”
Note that this attack can run without any kind of user notification or interaction with the rogue application itself. While it does require that an app gain local access to your system, none of the other types of detections or warnings that you might expect to kick in from that point forward will apply, and you won’t be prompted for your password before your data is accessed. There’s no word on when a patch will be available, but Wardle reported the bug to Apple several weeks ago, which hopefully means we’ll see an update to close this loophole in the near-future.
Now read: 20 Best Privacy Tips