Apple officially released macOS High Sierra to the public today, and a vulnerability has already been discovered in the software.
As reported first by Forbes, citing a tweet sent out by ex-NSA analyst and security researcher Patrick Wardle, unsigned apps on macOS High Sierra can allegedly access the information stored within the Apple Keychain, where usernames and passwords are stored. In this case, the unsigned app can display that information without needing a user’s master password.
Here’s the tweet, which includes a video showcasing the vulnerability.
on High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext passwords)??? vid: https://t.co/36M2TcLUAn #smh pic.twitter.com/pqtpjZsSnq
— patrick wardle (@patrickwardle) September 25, 2017
For the situation to work, a person would need to download an unsigned app, which would include third-party, malicious code within it. According to Wardle, it’s apparently not that hard to get malicious code running on any Mac, even with Apple’s own security measures in place:
“Without root priveleges, if the user is logged in, I can dump and exfiltrate the keychain, including plaintext passwords,” Wardle told Forbes. “Normally you are not supposed to be able do that programmatically.”
“Most attacks we see today involve social engineering and seem to be successful targeting Mac users,” he added. “I’m not going to say the [keychain] exploit is elegant – but it does the job, doesn’t require root and is 100% successful.”
As it stands right now, Wardle has not provided the full exploit code, and Wardle believes that Apple will be fixing the issue in a subsequent update to macOS.
It’s also worth noting that, in terms of downloading apps from the internet, Apple has that specific functionality disabled out of the gate. If a user wants to download an app from outside of the Mac App Store, or from an untrusted source/developer in general, the user has to override the security measure.
As usual, be aware of where you’re downloading apps.