macOS High Sierra vulnerability may let unsigned apps steal Keychain logins in plaintext

Apple's macOS High Sierra contains a vulnerability that lets apps discover Keychain passwords in plaintext, though it requires victims to intentionally override built-in security, a researcher noted on Monday.

A private concept app, created by Synack research director Patrick Wardle, was able to leverage the vulnerability to rip logins for websites like Facebook and Bank of America. In talking to Forbes, Wardle said that the exploit works as long as a person is logged in, and doesn't require root access.

The concept app does however demand that people download, install, and run it while deliberately overiding macOS security settings, including warnings about trusting unsigned software.

Wardle later commented that other versions of macOS are exposed as well.

High Sierra launched today as a free update, but has been in beta for months. It's not clear therefore whether the security issue was discovered today or some time ago. Likewise, Apple didn't reply to a Forbes request for comment, so it's unknown if the company is working on a fix.

23 Comments

🎅

jido 22 Years · 126 comments

About 7 years ago

Er, I can write an Applescript that does the same in 2 minutes. Or am I missing something ?

As long as the Keychain is unlocked there is nothing to stop it.

❄️

Soli 9 Years · 9981 comments

jido said:

Er, I can write an Applescript that does the same in 2 minutes. Or am I missing something ?

As long as the Keychain is unlocked there is nothing to stop it.

Not in my experience. Even when I access Keychain I can still only see the username and have to use my admin credentials to see the password in plaintext.

🎁

macxpress 16 Years · 5915 comments

sog35 said:

Seriously? Come on Timmy.

Yes...Tim Cook is in charge of all macOS development. Of course! If Steve were this would have never happened!

Kinda sounds to me like someone knew of this exploit and just waited until macOS Sierra was released to say something.