macOS High Sierra arrives with password-pinching zero-day in tow
APPLE HAS RELEASED macOS ‘ High Sierra ‘, its latest major update for Mac users that includes Safari autoplay blocking, a switch to Apple File System (APFS), and, er, a vulnerability that allows hackers to pilfer passwords.
Patrick Wardle, a former National Security Agency analyst and now head of research at security firm Synack, revealed the security issue in a video ( below) where he demonstrated code that appeared to extract plaintext passwords from the Keychain.
While these logins are typically locked down with a master password, Wardle was able to carry out an attack that sent all the contents of the keychain to an attacker without the need for that password.
Using his «keychainStealer» app, Wardle forced the keychain to hand over plaintext passwords for Twitter, Facebook, and Bank of America.
«Without root privileges, if the user is logged in, I can dump and exfiltrate the keychain, including plaintext passwords,» Wardle told Forbes . «Normally you are not supposed to be able do that programmatically.»
«Most attacks we see today involve social engineering and seem to be successful targeting Mac users,» he added. «I’m not going to say the [keychain] exploit is elegant — but it does the job, doesn’t require root and is 100% successful.»
«I’m not going to say the [keychain] exploit is elegant — but it does the job, doesn’t require root and is 100 per cent successful.»
Wardle reported the vulnerability to Apple on September 7th and said he expects that Apple will likely ship a patch soon.
Apple, naturally, played down the flaw, saying in a statement: «macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval.
«We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.»
So, er, macOS High Sierra is available to download now as a free update. µ
