Patrick Wardle, a former NSA hacker and security researcher at Synack, slammed High Sierra with a zero-day, an attack that exploits an unknown vulnerability in a system. The weakness hidden within the OS lets a hacker steal passwords from Mac computers by digging into their keychain, or Apple’s password management system used to store passwords, usernames, and other confidential information.
The keychain typically requires a master login password, but Wardle’s exploit allows him to steal every password using an unsigned app from the internet.
Wardle posted a short video clip of the attack, showing him open an application called “keychainStealer.”
A few moments later, passwords for Facebook, Twitter, and Bank of America pop up in plain text on his display. The app can allegedly be used to grab credentials from websites, services, and credit card numbers, and can be presented in an email or as a normal application.
“As a passionate Mac user, I’m continually disappointed in the security of macOS,” Wardle told ZDNet. “I don’t mean that to be taken personally by anybody at Apple—but every time I look at macOS the wrong way something falls over. I felt that users should be aware of the risks that are out there I’m sure sophisticated attackers have similar capabilities.”
Apple was allegedly notified of the security vulnerability in early September but didn’t patch up its new operating system before launching it on Monday. Wardle wrote in a blog post that he provided a detailed write-up and source code for the exploit, and said Apple “seemed appreciative” of his findings. He suspects a patch is forthcoming.
The security researcher also said it wasn’t difficult to get the malicious app running on a Mac today. He tested it on High Sierra in the video but said older versions of macOS are also vulnerable.
Fortunately, there are ways to protect your personal data from the exploit. Because the app is local, a hacker first needs to infiltrate your system. This is typically achieved by spreading a malicious app through email or social media, so stay away from anything that looks sketchy. Wardle also recommends changing your computer’s keychain password so it’s not automatically unlocked when you log in.
Apple provided a comment to CNET with its own suggestions:
“MacOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.”