macOS's Keychain vulnerability reported earlier in Sept., Apple patch likely coming soon

The Keychain password vulnerability affecting multiple versions of macOS — including High Sierra — was reported to Apple on Sept. 7, and will likely be patched by the company in the near future, according to the security researcher who first publicized the issue.

Technical details of the exploit won't be made public until Apple has released that patch, Patrick Wardle told Gizmodo. He cautioned though that if he found the problem, other less conscientious actors may have beaten him to the punch.

"If I can find these bugs, obviously nation states, malicious adversaries, and cyber criminals have tons more time and resources. I'm sure they're finding these bugs as well," he said.

The researcher recommended updating to High Sierra in the meantime, since "there's a lot of good built-in security features," and there's no protection in remaining on Sierra.

On Monday Wardle published video of a concept app able to capture Keychain passwords in plaintext, without root access, so long as the victim is signed in. Real-world targets would have download, install, and run the app while bypassing macOS security measures designed to deter using unsigned software.

"macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval," an Apple spokesperson said to Gizmodo. "We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogues that macOS presents."

5 Comments

lkrupp 10521 comments · 19 Years

About 7 years ago

AppleInsider said:

The researcher recommended updating to High Sierra in the meantime, since "there's a lot of good built-in security features," and there's no protection in remaining on Sierra.

Okay, so the Internet exploded yesterday, @sog35 went ballistic, and Forbes went for the jugular with its incendiary headline over a vulnerability discovered that goes back way before High Sierra. Trolls went forth to announce the evil that is macOS. A routine security report about a vulnerability that will be patched along with a continuing stream of others in due time and it blows up the Internet. Now comes forward the researcher who found this vulnerability to say it’s okay to upgrade to High Sierra because of “a lot good built-in security features”. It’s unbelievable but par for the course because it’s Apple.

sirlance99 1301 comments · 11 Years

About 7 years ago

lkrupp said:

AppleInsider said:

The researcher recommended updating to High Sierra in the meantime, since "there's a lot of good built-in security features," and there's no protection in remaining on Sierra.

Okay, so the Internet exploded yesterday, @sog35 went ballistic, and Forbes went for the jugular with its incendiary headline over a vulnerability discovered that goes back way before High Sierra. Trolls went forth to announce the evil that is macOS. A routine security report about a vulnerability that will be patched along with a continuing stream of others in due time and it blows up the Internet. Now comes forward the researcher who found this vulnerability to say it’s okay to upgrade to High Sierra because of “a lot good built-in security features”. It’s unbelievable but par for the course because it’s Apple.

Who cares? No reason to get so worked up about it. Much more pressing thing in life.

Mcnaugha2 27 comments · 8 Years

About 7 years ago

I don’t get this... I allow a shady app to bypass Gatekeeper and it can read my keychain... where’s the surprise? Apps being able to read my password manager is the whole point of the password manager. Is this really a thing?

john.b 2733 comments · 16 Years

About 7 years ago

Trying to figure out why on Earth I would ever install software on my Mac from a developer who couldn’t be arsed to sign their app, requiring me to turn off Gatekeeper?

cgWerks 2947 comments · 8 Years

About 7 years ago

Mcnaugha2 said:

Apps being able to read my password manager is the whole point of the password manager. Is this really a thing?

No... apps shouldn't be able to read your password manager! Your password manager should 'type'/pass the necessary information to the application.

And, THIS is why you should probably get a real password manager, and not depend on a half-baked Apple feature.