Just before Apple rolled out its macOS High Sierra to the public today, a serious security vulnerability in the software update has been revealed by the researcher and ex-NSA analyst Patrick Wardle. The flaw is said to offer a possibility that allows hackers to steal the usernames and passwords of accounts stored in Mac Keychain.
Patrick Wardle tweeted about the flaw early this morning, and he shared a video clip to demonstrate how he exploited this flaw to attack macOS High Sierra. He made an app called keychainStealer to carry out the password exfiltration exploit. The video shows that unsinged apps on macOS High Sierra could access the Keychain info and display plain-text usernames and password without needing user’s master password.
Keychain is the digital vault of sorts that stores password and cryptographic keys, and the data inside requires the user’s master password to access to. Now the vulnerability in macOS High Sierra allegedly allows anyone who are able to run malicious code on a Mac to pilfer password from the Keychain in the new version of macOS.
“Without root privileges, if the user is logged in, I can dump and exfiltrate the keychain, including plain-text passwords,” Wardle told Forbes. “Normally you are not supposed to be able do that programmatically.” To make the exploitation work, users will need to download and run an unsigned app that include third-party, malicious code within it. Older versions of macOS are also vulnerable to the flaw exploit.
Apple later replied this in an e-mail: macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialog that macOS presents.
Patrick Wardle reported the vulnerability to Apple last month, and later decided to make the disclosure public when the company released High Sierra without fixing it first. He did not revealed the full exploit code, expecting that Apple would patch the issue in the subsequent update to the latest macOS. He also mentioned that Apple would be served well if they implement a bug bounty program for macOS.
Generally when you click to run an unauthorized app on Mac, the Gatekeeper will notify you to give permission to override the the security measure. To reduce the risk of being hacked on your Mac, you should be aware of where you are downloading apps, and be cautious when asked to type in admin password to allow the changes.
Update: On Oct 5 Apple released a supplemental update for macOS High Sierra to address this Keychain issue. All High Sierra users are suggested to install this update a.s.a.p.
What do you think of this flaw issue? Share your opinion with us right here.