macOS High Sierra vulnerability may let unsigned apps steal Keychain logins in plaintext
Apple's macOS High Sierra contains a vulnerability that lets apps discover Keychain passwords in plaintext, though it requires victims to intentionally override built-in security, a researcher noted on Monday.
A private concept app, created by Synack research director Patrick Wardle, was able to leverage the vulnerability to rip logins for websites like Facebook and Bank of America. In talking to Forbes, Wardle said that the exploit works as long as a person is logged in, and doesn't require root access.
The concept app does however demand that people download, install, and run it while deliberately overiding macOS security settings, including warnings about trusting unsigned software.
Wardle later commented that other versions of macOS are exposed as well.
High Sierra launched today as a free update, but has been in beta for months. It's not clear therefore whether the security issue was discovered today or some time ago. Likewise, Apple didn't reply to a Forbes request for comment, so it's unknown if the company is working on a fix.
A private concept app, created by Synack research director Patrick Wardle, was able to leverage the vulnerability to rip logins for websites like Facebook and Bank of America. In talking to Forbes, Wardle said that the exploit works as long as a person is logged in, and doesn't require root access.
The concept app does however demand that people download, install, and run it while deliberately overiding macOS security settings, including warnings about trusting unsigned software.
Wardle later commented that other versions of macOS are exposed as well.
High Sierra launched today as a free update, but has been in beta for months. It's not clear therefore whether the security issue was discovered today or some time ago. Likewise, Apple didn't reply to a Forbes request for comment, so it's unknown if the company is working on a fix.
Comments
As long as the Keychain is unlocked there is nothing to stop it.
Kinda sounds to me like someone knew of this exploit and just waited until macOS Sierra was released to say something.
"Nasty password-pilfering hack ruins Apple macOS High Sierra launch"
While this isn't going to be a wide-spread vector, do you think High Sierra is "ruined?." We reported on it sanely, and without hyperbole. Maybe somebody will find our story instead of the O! Woe! Ruined! headline.
I always thought that was insecure, so good on whoever to make it a big issue hopefully soon I will not worry that much about using Apple Keychain.
You were saying? Stupid is as stupid does. Security ‘researches’ are always making incendiary claims, always trying to make a mountain out of a molehill, always trying to scare people. How many times have we been treated to some security researcher’s “Nibiru is coming” declaration only to find out there’s little chance of the vulnerability actually hurting anyone. Okay, it’s a vulnerability with little potential to harm. It will be fixed in the next security update, along with the dozens more we see with every security update.
Nope. It will be dealt with in a security update that will include a dozen or more vulnerabilities found in High Sierra, just like every other macOS release.
And even if you could you would first have to trick your victims into downloading your nasty. Then those users would have to disable Gatekeeper in order to launch it. Do you think you could do that to enough users to make it worth your while as a bad actor? Well that’s why these vulnerabilities never amount to much in the real world. Even the researcher in this case admits that.
In fact I checked and the old Applescripts no longer work. There are workarounds but they involve giving an application the permission to control your computer, which hopefully you won't consider unless it is an assistive app.
Or he's just trying to generate revenue by getting people to read a sensationalist article about a non-event.
Just like the reporting on the FaceID "FAIL!" at the announcement. There doesn't have to be any malice, just either a lack of journalistic standards, or a failure to understand the actual problem. And in Tech Journalism, it's often a little from Column A and a little from Column B.
Do I like Forbes, or trust his publication? Hell, no! But I don't think he's being particularly malicious towards Tim Cook or Apple.
Nowadays, you have to search really hard for an exploit, then ignore all the warnings your platform is screaming at you as you download it, then ignore the louder screaming as you blast through a field of checkboxes and warning dialogs to give it complete access to your system to run it.
As someone has already said, this will be fixed in the scheduled maintenance updates. This is just the usual click-baiting from folk who lack the chops to be real journalists.
And supposedly this is a bug in High Sierra. People are assuming it applies to old OS versions too, but nobody knows for sure. Even Patrick Wardle doesn't know because he didn't test it on anything except High Sierra. Really?