• Home
  • macOS
  • macOS High Sierra Ships With Vulnerability That Could Allow Unsigned Apps to Steal Keychain Logins in Plaintext

macOS High Sierra Ships With Vulnerability That Could Allow Unsigned Apps to Steal Keychain Logins in Plaintext

macOS High Sierra Ships With Vulnerability That Could Allow Unsigned Apps to Steal Keychain Logins in Plaintext

Apple’s new Mac operating system, macOS High Sierra, shipped with a vulnerability that allows apps to steal Keychain passwords in plaintext. Thankfully, it requires users to intentionally override macOS’s built-in security.

Synack research director, Patrick Wardle, was able to use the security hole to grab login information for a number of websites, including logins for Facebook and Bank of America. Wardle told Forbes the exploit doesn’t require root access, and works as long as the user is logged in.

macOS High Sierra Ships With Vulnerability That Could Allow Unsigned Apps to Steal Keychain Logins in Plaintext

The vulnerability does require that users download, install and run a malicious app by deliberately overriding macOS security settings, which would include a warning about trusting unsigned software.

Wardle says other versions of macOS are also vulnerable to the exploit.

macOS High Sierra was released to the public on Monday, following a lengthy beta testing period. It isn’t clear whether Apple knew of the vulnerability, or if it is working on a fix.