Apple’s latest macOS, High Sierra, rolls out today with plenty of nice security upgrades, including invasive ad tracker blocking in Safari and weekly firmware validation. But the new OS apparently comes with a security problem, too—a security researcher at Synack has already discovered a way to snatch passwords from High Sierra.
Patrick Wardle, the head of research at Synack, revealed the issue today in a video where he demonstrated code that appeared to extract plaintext passwords from the Keychain. If users opt into using Keychain, they can use it to store their login information, credit cards, and WiFi passwords.
Normally, all Keychain information is locked down with a user’s master password. But Wardle was able to extract passwords from the Keychain without entering a master password, showing that an attacker with access to an unlocked computer might be able to steal Keychain data.
“Applications running on your system are able to access all the information in the Keychain without any user interaction,” Wardle told Gizmodo. “There’s a vulnerability that allows local code to access the keychain and bypass the security components.”
Wardle’s walk-through video demonstrates his “keychainStealer” app and shows it pulling plaintext passwords for Twitter, Facebook, and Bank of America.
Wardle reported the vulnerability to Apple on September 7th and said he expects that Apple will likely ship a patch soon. He said he won’t make his exploit public until it’s patched. He designed it with the assumption that Keychain would be unlocked, since a user’s login password is typically used to unlock the Keychain. However, if a user had set a different password for the Keychain, the attack would not work. Wardle also noted that the vulnerability exists in older versions of macOS as well as High Sierra.
“If I can find these bugs, obviously nation states, malicious adversaries, and cyber criminals have tons more time and resources. I’m sure they’re finding these bugs as well,” Wardle explained.
Some Mac users tweeted that they’d avoid updating to High Sierra until the issue was fixed, but Wardle doesn’t recommend holding off on High Sierra. “I think everyone should update. There’s a lot of good built-in security features. This attack works on older versions of Mac OS as well. There’s no reason for people not to upgrade,” he said.
Gizmodo contacted Apple for comment and will update when we hear back.
Updated throughout at 6:20 p.m. with comment from Wardle.
Update 8:15 p.m.: Launching an app like Wardle’s would require explicit user approval, an Apple spokesperson told Gizmodo. “macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents,” the spokesperson said.