- Fan-created ‘app’ lets users experience the final moments of the ill-fated Jeremy Renner app Monday 10:00 PM
- Milo Yiannopoulos receives lifetime ban from furry convention Monday 7:49 PM
- Snapchat just made all political ads purchased publicly available Monday 6:12 PM
- How to stream Barcelona vs. Borussia Dortmund in Champions League action Monday 5:39 PM
- How to stream Liverpool vs. Napoli in Champions League action Monday 5:19 PM
- How to make real money with Amazon’s Mechanical Turk Monday 5:03 PM
- How to stream Chelsea vs. Valencia in the Champions League group stage Monday 4:47 PM
- ‘SNL’ fires Shane Gillis for racist, homophobic comments Monday 4:41 PM
- Ben Shapiro wants accusers to describe Brett Kavanaugh’s penis Monday 4:30 PM
- Twitch suspends streamer for wearing Chun-Li cosplay Monday 4:11 PM
- Report: 8 years of Trump tax returns subpoenaed by prosecutors Monday 3:45 PM
- Netflix lands exclusive streaming rights to ‘Seinfeld’ Monday 3:34 PM
- Jenny Slate sets first comedy special at Netflix Monday 3:05 PM
- #EndSmearFear is aiming to save lives Monday 2:54 PM
- Netflix ‘Living With Yourself’ trailer offers a double dose of Paul Rudd Monday 2:07 PM
Patrick Wardle, a former NSA hacker and security researcher at Synack, slammed High Sierra with a zero-day, an attack that exploits an unknown vulnerability in a system. The weakness hidden within the OS lets a hacker steal passwords from Mac computers by digging into their keychain, or Apple’s password management system used to store passwords, usernames, and other confidential information.
The keychain typically requires a master login password, but Wardle’s exploit allows him to steal every password using an unsigned app from the internet.
Wardle posted a short video clip of the attack, showing him open an application called “keychainStealer.”
A few moments later, passwords for Facebook, Twitter, and Bank of America pop up in plain text on his display. The app can allegedly be used to grab credentials from websites, services, and credit card numbers, and can be presented in an email or as a normal application.
“As a passionate Mac user, I’m continually disappointed in the security of macOS,” Wardle told ZDNet. “I don’t mean that to be taken personally by anybody at Apple—but every time I look at macOS the wrong way something falls over. I felt that users should be aware of the risks that are out there I’m sure sophisticated attackers have similar capabilities.”
Apple was allegedly notified of the security vulnerability in early September but didn’t patch up its new operating system before launching it on Monday. Wardle wrote in a blog post that he provided a detailed write-up and source code for the exploit, and said Apple “seemed appreciative” of his findings. He suspects a patch is forthcoming.
The security researcher also said it wasn’t difficult to get the malicious app running on a Mac today. He tested it on High Sierra in the video but said older versions of macOS are also vulnerable.
Fortunately, there are ways to protect your personal data from the exploit. Because the app is local, a hacker first needs to infiltrate your system. This is typically achieved by spreading a malicious app through email or social media, so stay away from anything that looks sketchy. Wardle also recommends changing your computer’s keychain password so it’s not automatically unlocked when you log in.
Apple provided a comment to CNET with its own suggestions:
“MacOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.”
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.