Apple's macOS High Sierra contains a vulnerability that lets apps discover Keychain passwords in plaintext, though it requires victims to intentionally override built-in security, a researcher noted on Monday.
A private concept app, created by Synack research director Patrick Wardle, was able to leverage the vulnerability to rip logins for websites like Facebook and Bank of America. In talking to Forbes, Wardle said that the exploit works as long as a person is logged in, and doesn't require root access.
The concept app does however demand that people download, install, and run it while deliberately overiding macOS security settings, including warnings about trusting unsigned software.
Wardle later commented that other versions of macOS are exposed as well.
High Sierra launched today as a free update, but has been in beta for months. It's not clear therefore whether the security issue was discovered today or some time ago. Likewise, Apple didn't reply to a Forbes request for comment, so it's unknown if the company is working on a fix.