macOS High Sierra vulnerability may let unsigned apps steal Keychain logins in plaintext

Posted:
in macOS
Apple's macOS High Sierra contains a vulnerability that lets apps discover Keychain passwords in plaintext, though it requires victims to intentionally override built-in security, a researcher noted on Monday.




A private concept app, created by Synack research director Patrick Wardle, was able to leverage the vulnerability to rip logins for websites like Facebook and Bank of America. In talking to Forbes, Wardle said that the exploit works as long as a person is logged in, and doesn't require root access.

The concept app does however demand that people download, install, and run it while deliberately overiding macOS security settings, including warnings about trusting unsigned software.

Wardle later commented that other versions of macOS are exposed as well.





High Sierra launched today as a free update, but has been in beta for months. It's not clear therefore whether the security issue was discovered today or some time ago. Likewise, Apple didn't reply to a Forbes request for comment, so it's unknown if the company is working on a fix.
«1

Comments

  • Reply 1 of 23
    jidojido Posts: 125member
    Er, I can write an Applescript that does the same in 2 minutes. Or am I missing something ? 

    As long as the Keychain is unlocked there is nothing to stop it. 
    longpathmacplusplus
  • Reply 2 of 23
    SoliSoli Posts: 10,035member
    jido said:
    Er, I can write an Applescript that does the same in 2 minutes. Or am I missing something ? 

    As long as the Keychain is unlocked there is nothing to stop it. 
    Not in my experience. Even when I access Keychain I can still only see the username and have to use my admin credentials to see the password in plaintext.
    macxpressmagman1979lkrupp
  • Reply 3 of 23
    sog35 said:
    Seriously? Come on Timmy.
    Yes...Tim Cook is in charge of all macOS development. Of course! If Steve were this would have never happened! 

    Kinda sounds to me like someone knew of this exploit and just waited until macOS Sierra was released to say something. 
    edited September 2017 dysamoriamagman1979longpathStrangeDaysmacseekertdknoxwelshdoganomewatto_cobra
  • Reply 4 of 23
    In other news, people committing suicide are a danger to themselves....

    An "exploit" that requires you to be either intending to harm yourself or be utterly clueless is news? Really?
    edited September 2017 cornchipwatto_cobrajony0
  • Reply 5 of 23
    Rayz2016Rayz2016 Posts: 6,957member
    sog35 said:
    Seriously? Come on Timmy.
    Oh dear.  Is it time to fire him again, Soggy?
    StrangeDaysanomeiqatedowatto_cobrajony0
  • Reply 6 of 23
    jdgazjdgaz Posts: 403member
    I guess you have to be willing to shoot yourself in the foot. Kind of like the NFL.
    watto_cobra
  • Reply 7 of 23
    sog35 said:
    Seriously? Come on Timmy.
    Stupid perspective. The CEO of the world's largest technology company isn't coding the platform.
    watto_cobrajony0
  • Reply 8 of 23
    I smell an High Sierra update coming fast.
  • Reply 9 of 23
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    longpath said:
    In other news, people committing suicide are a danger to themselves....

    An "exploit" that requires you to be either intending to harm yourself or be utterly clueless is news? Really?
    Let me share with you a headline about this exploit from Forbes:

    "Nasty password-pilfering hack ruins Apple macOS High Sierra launch"

    While this isn't going to be a wide-spread vector, do you think High Sierra is "ruined?." We reported on it sanely, and without hyperbole. Maybe somebody will find our story instead of the O! Woe! Ruined! headline.
    Solilongpathgatorguytdknoxkevin keeanomefastasleepwatto_cobrazoetmbjony0
  • Reply 10 of 23
    jidojido Posts: 125member
    Soli said:
    jido said:
    Er, I can write an Applescript that does the same in 2 minutes. Or am I missing something ? 

    As long as the Keychain is unlocked there is nothing to stop it. 
    Not in my experience. Even when I access Keychain I can still only see the username and have to use my admin credentials to see the password in plaintext.
    Yes but you are using the Keychain Access application. It is well behaved enough to ask your password, but Applescript keychain scripting will not bother. It just spits out the info. 

    I always thought that was insecure, so good on whoever to make it a big issue hopefully soon I will not worry that much about using Apple Keychain. 
    Soli
  • Reply 11 of 23
    lkrupplkrupp Posts: 10,557member
    sog35 said:
    Seriously? Come on Timmy.
    though it requires victims to intentionally override built-in security”

    You were saying? Stupid is as stupid does. Security ‘researches’ are always making incendiary claims, always trying to make a mountain out of a molehill, always trying to scare people.  How many times have we been treated to some security researcher’s “Nibiru is coming” declaration only to find out there’s little chance of the vulnerability actually hurting anyone. Okay, it’s a vulnerability with little potential to harm. It will be fixed in the next security update, along with the dozens more we see with every security update.

    StrangeDayswatto_cobrakent909
  • Reply 12 of 23
    sflocalsflocal Posts: 6,092member
    Even with Sog35 on my blocked list, his whining still manages to come out and irritate us.
    mattinozStrangeDayswatto_cobraRayz2016zoetmbfastasleep
  • Reply 13 of 23
    lkrupplkrupp Posts: 10,557member

    macseeker said:
    I smell an High Sierra update coming fast.
    Nope. It will be dealt with in a security update that will include a dozen or more vulnerabilities found in High Sierra, just like every other macOS release. 
    StrangeDayswatto_cobraRayz2016
  • Reply 14 of 23
    lkrupplkrupp Posts: 10,557member

    jido said:
    Er, I can write an Applescript that does the same in 2 minutes. Or am I missing something ? 

    As long as the Keychain is unlocked there is nothing to stop it. 
    And even if you could you would first have to trick your victims into downloading your nasty. Then those users would have to disable Gatekeeper in order to launch it. Do you think you could do that to enough users to make it worth your while as a bad actor? Well that’s why these vulnerabilities never amount to much in the real world. Even the researcher in this case admits that.
    edited September 2017 cornchipwatto_cobra
  • Reply 15 of 23
    Let me share with you a headline about this exploit from Forbes:

    "Nasty password-pilfering hack ruins Apple macOS High Sierra launch"

    If I were Tim (or any CEO running a company that got slammed like that), I would be on the phone with Steve Forbes asking him what the eff was going on.  There is no need for that sort of willfully damaging headline.  Smells like Steve Forbes has a beef with Tim Cook and is looking for ways to aggravate him.
    edited September 2017 watto_cobra
  • Reply 16 of 23
    jidojido Posts: 125member
    lkrupp said:

    jido said:
    Er, I can write an Applescript that does the same in 2 minutes. Or am I missing something ? 

    As long as the Keychain is unlocked there is nothing to stop it. 
    And even if you could you would first have to trick your victims into downloading your nasty. Then those users would have to disable Gatekeeper in order to launch it. Do you think you could do that to enough users to make it worth your while as a bad actor? Well that’s why these vulnerabilities never amount to much in the real world. Even the researcher in this case admits that.
    Yes.
    In fact I checked and the old Applescripts no longer work. There are workarounds but they involve giving an application the permission to control your computer, which hopefully you won't consider unless it is an assistive app.
  • Reply 17 of 23
    welshdog said:
    Let me share with you a headline about this exploit from Forbes:

    "Nasty password-pilfering hack ruins Apple macOS High Sierra launch"

    If I were Tim (or any CEO running a company that got slammed like that), I would be on the phone with Steve Forbes asking him what the eff was going on.  There is no need for that sort of willfully damaging headline.  Smells like Steve Forbes has a beef with Tim Cook and is looking for ways to aggravate him.
    Intentional provoking is an ancient technique to get the reaction they wanted. Apple is better not playing into their hands.
    watto_cobra
  • Reply 18 of 23
    anomeanome Posts: 1,533member
    welshdog said:
    Let me share with you a headline about this exploit from Forbes:

    "Nasty password-pilfering hack ruins Apple macOS High Sierra launch"

    If I were Tim (or any CEO running a company that got slammed like that), I would be on the phone with Steve Forbes asking him what the eff was going on.  There is no need for that sort of willfully damaging headline.  Smells like Steve Forbes has a beef with Tim Cook and is looking for ways to aggravate him.

    Or he's just trying to generate revenue by getting people to read a sensationalist article about a non-event.

    Just like the reporting on the FaceID "FAIL!" at the announcement. There doesn't have to be any malice, just either a lack of journalistic standards, or a failure to understand the actual problem. And in Tech Journalism, it's often a little from Column A and a little from Column B.

    Do I like Forbes, or trust his publication? Hell, no! But I don't think he's being particularly malicious towards Tim Cook or Apple.

    cornchip
  • Reply 19 of 23
    Rayz2016Rayz2016 Posts: 6,957member
    Y’know, when I was a lad, you could get a virus on your machine by simply opening a Word file (kudos to Microsoft for inventing VBScript, the original cross-platform virus programming language). 

    Nowadays, you have to search really hard for an exploit, then ignore all the warnings your platform is screaming at you as you download it, then ignore the louder screaming as you blast through a field of checkboxes and warning dialogs to give it complete access to your system to run it. 

    As someone has already said, this will be fixed in the scheduled maintenance updates. This is just the usual click-baiting from folk who lack the chops to be real journalists. 
  • Reply 20 of 23
    On the surface, an issue like this would make me very worried. But there are so many strange issues associated with this "exploit". For one, what is the issue with everyone touting "unsigned apps"? Why does that matter? If the exploit exists for unsigned apps, then it exists for signed apps too. Are there people out there who really say, "I don't want hackers to have all my passwords, but I'm cool with 10 million random developers across the world with paid Apple developer accounts to have all my passwords." The whole Gatekeeper part sounds suspiciously like security theatre. There is absolutely nothing in Gatekeeper that restricts what an app can do once the user authorizes it. So why is that important?

    And supposedly this is a bug in High Sierra. People are assuming it applies to old OS versions too, but nobody knows for sure. Even Patrick Wardle doesn't know because he didn't test it on anything except High Sierra. Really?
Sign In or Register to comment.