- #IVapeIVote may have helped Trump back off proposed vaping ban 2 Years Ago
- Whataburger blasted for refusing to serve drag queen 2 Years Ago
- ‘Justice League’ actors show support for the Snyder Cut campaign Today 8:08 AM
- Laura Loomer may be a fringe candidate, but she’s being funded by big-time GOP donors Today 8:00 AM
- TikTok teen makes a video of his English teacher, the guy who sang ‘Story of a Girl’ Today 7:50 AM
- The teens of TikTok are doing just fine, thank you very much Today 7:00 AM
- ‘Watchmen’ episode 5: Looking Glass just became one of the most compelling characters Sunday 9:05 PM
- Man allegedly kills girlfriend, then pretends to be her on Facebook Sunday 4:29 PM
- Trevor Lawrence met TikTok teen who looks just like him Sunday 3:48 PM
- Trump’s hospital visit spawns conspiracy theories Sunday 2:49 PM
- ‘SNL’ skit combines Harry Styles, the Popeyes chicken sandwich, and Disney+ Sunday 2:02 PM
- Doctored photo of GOP congresswoman flipping the bird fools critics Sunday 1:05 PM
- Internet scammers taking advantage of Narwhal the ‘unicorn’ rescue puppy Sunday 12:19 PM
- Sunday Night Football: How to stream Bears vs. Rams live Sunday 12:00 PM
- CupcakKe’s month-long ‘water fast’ has fans concerned Sunday 11:24 AM
Patrick Wardle, a former NSA hacker and security researcher at Synack, slammed High Sierra with a zero-day, an attack that exploits an unknown vulnerability in a system. The weakness hidden within the OS lets a hacker steal passwords from Mac computers by digging into their keychain, or Apple’s password management system used to store passwords, usernames, and other confidential information.
The keychain typically requires a master login password, but Wardle’s exploit allows him to steal every password using an unsigned app from the internet.
Wardle posted a short video clip of the attack, showing him open an application called “keychainStealer.”
A few moments later, passwords for Facebook, Twitter, and Bank of America pop up in plain text on his display. The app can allegedly be used to grab credentials from websites, services, and credit card numbers, and can be presented in an email or as a normal application.
“As a passionate Mac user, I’m continually disappointed in the security of macOS,” Wardle told ZDNet. “I don’t mean that to be taken personally by anybody at Apple—but every time I look at macOS the wrong way something falls over. I felt that users should be aware of the risks that are out there I’m sure sophisticated attackers have similar capabilities.”
Apple was allegedly notified of the security vulnerability in early September but didn’t patch up its new operating system before launching it on Monday. Wardle wrote in a blog post that he provided a detailed write-up and source code for the exploit, and said Apple “seemed appreciative” of his findings. He suspects a patch is forthcoming.
The security researcher also said it wasn’t difficult to get the malicious app running on a Mac today. He tested it on High Sierra in the video but said older versions of macOS are also vulnerable.
Fortunately, there are ways to protect your personal data from the exploit. Because the app is local, a hacker first needs to infiltrate your system. This is typically achieved by spreading a malicious app through email or social media, so stay away from anything that looks sketchy. Wardle also recommends changing your computer’s keychain password so it’s not automatically unlocked when you log in.
Apple provided a comment to CNET with its own suggestions:
“MacOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.”
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.