macOS High Sierra Ships With Vulnerability That Could Allow Unsigned Apps to Steal Keychain Logins in Plaintext

Posted in macOS on 26/09/2017 by Chris Hauk

0

Apple’s new Mac operating system, macOS High Sierra, shipped with a vulnerability that allows apps to steal Keychain passwords in plaintext. Thankfully, it requires users to intentionally override macOS’s built-in security.

Synack research director, Patrick Wardle, was able to use the security hole to grab login information for a number of websites, including logins for Facebook and Bank of America. Wardle told Forbes the exploit doesn’t require root access, and works as long as the user is logged in.

macOS High Sierra Ships With Vulnerability That Could Allow Unsigned Apps to Steal Keychain Logins in Plaintext

The vulnerability does require that users download, install and run a malicious app by deliberately overriding macOS security settings, which would include a warning about trusting unsigned software.

Wardle says other versions of macOS are also vulnerable to the exploit.

macOS High Sierra was released to the public on Monday, following a lengthy beta testing period. It isn’t clear whether Apple knew of the vulnerability, or if it is working on a fix.


Author

Chris Hauk

MacTrast Senior Editor, and self-described "magnificent bastard," Chris Hauk owns Phoenix Rising Services and writes for everyone's favorite "bad movie" website, Big Bad Drive-In.

His first Apple product was an iPod Classic 9 years ago, and he has since added a MacBook Pro, a number of iPads, iPhones, and multiple Apple TVs to his collection.

He lives somewhere in the deep Southern part of America. Yes, he has to pump in both sunshine and the Internet.