- Oops: Christians petition Netflix to cancel Amazon Prime’s ‘Good Omens’ 2 Years Ago
- Popular YouTuber threatens suicide on social media, goes missing Today 9:17 AM
- ‘Neon Genesis Evangelion’ is finally coming to Netflix Today 9:07 AM
- Congress isn’t too keen on Facebook starting a cryptocurrency Today 8:56 AM
- Keanu Reeves could join the MCU, according to Kevin Feige Today 8:02 AM
- How to watch the U.S. women vs. Sweden online for free Today 7:00 AM
- What were these QAnon fans doing posing at Guantanamo Bay? Today 6:30 AM
- How to watch the 2019 NBA Draft online for free Today 6:00 AM
- Ta-Nehisi Coates dismantles Mitch McConnell’s anti-reparations argument Wednesday 7:52 PM
- Whoopi Goldberg stirs debate over her opinion regarding Bella Thorne’s nudes Wednesday 7:04 PM
- Joe Biden really, really hates raves Wednesday 6:02 PM
- RIP to the Twitter geotagging feature that no one actually used Wednesday 5:14 PM
- Facebook contractors reveal the horrors of moderating graphic content Wednesday 4:42 PM
- Prosecutor almost directly quoted Bible in trial against man who helped migrants Wednesday 4:05 PM
- TikTok’s time warp videos get it twisted Wednesday 4:03 PM
Patrick Wardle, a former NSA hacker and security researcher at Synack, slammed High Sierra with a zero-day, an attack that exploits an unknown vulnerability in a system. The weakness hidden within the OS lets a hacker steal passwords from Mac computers by digging into their keychain, or Apple’s password management system used to store passwords, usernames, and other confidential information.
The keychain typically requires a master login password, but Wardle’s exploit allows him to steal every password using an unsigned app from the internet.
Wardle posted a short video clip of the attack, showing him open an application called “keychainStealer.”
A few moments later, passwords for Facebook, Twitter, and Bank of America pop up in plain text on his display. The app can allegedly be used to grab credentials from websites, services, and credit card numbers, and can be presented in an email or as a normal application.
“As a passionate Mac user, I’m continually disappointed in the security of macOS,” Wardle told ZDNet. “I don’t mean that to be taken personally by anybody at Apple—but every time I look at macOS the wrong way something falls over. I felt that users should be aware of the risks that are out there I’m sure sophisticated attackers have similar capabilities.”
Apple was allegedly notified of the security vulnerability in early September but didn’t patch up its new operating system before launching it on Monday. Wardle wrote in a blog post that he provided a detailed write-up and source code for the exploit, and said Apple “seemed appreciative” of his findings. He suspects a patch is forthcoming.
The security researcher also said it wasn’t difficult to get the malicious app running on a Mac today. He tested it on High Sierra in the video but said older versions of macOS are also vulnerable.
Fortunately, there are ways to protect your personal data from the exploit. Because the app is local, a hacker first needs to infiltrate your system. This is typically achieved by spreading a malicious app through email or social media, so stay away from anything that looks sketchy. Wardle also recommends changing your computer’s keychain password so it’s not automatically unlocked when you log in.
Apple provided a comment to CNET with its own suggestions:
“MacOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.”
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.