Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

macOS's Keychain vulnerability reported earlier in Sept., Apple patch likely coming soon

The Keychain password vulnerability affecting multiple versions of macOS — including High Sierra — was reported to Apple on Sept. 7, and will likely be patched by the company in the near future, according to the security researcher who first publicized the issue.

Technical details of the exploit won't be made public until Apple has released that patch, Patrick Wardle told Gizmodo. He cautioned though that if he found the problem, other less conscientious actors may have beaten him to the punch.

"If I can find these bugs, obviously nation states, malicious adversaries, and cyber criminals have tons more time and resources. I'm sure they're finding these bugs as well," he said.

The researcher recommended updating to High Sierra in the meantime, since "there's a lot of good built-in security features," and there's no protection in remaining on Sierra.

On Monday Wardle published video of a concept app able to capture Keychain passwords in plaintext, without root access, so long as the victim is signed in. Real-world targets would have download, install, and run the app while bypassing macOS security measures designed to deter using unsigned software.

"macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval," an Apple spokesperson said to Gizmodo. "We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogues that macOS presents."



5 Comments

🎄
lkrupp 19 Years · 10521 comments


The researcher recommended updating to High Sierra in the meantime, since "there's a lot of good built-in security features," and there's no protection in remaining on Sierra.

Okay, so the Internet exploded yesterday, @sog35 went ballistic, and Forbes went for the jugular with its incendiary headline over a vulnerability discovered that goes back way before High Sierra. Trolls went forth to announce the evil that is macOS. A routine security report about a vulnerability that will be patched along with a continuing stream of others in due time and it blows up the Internet. Now comes forward the researcher who found this vulnerability to say it’s okay to upgrade to High Sierra because of “a lot good built-in security features”. It’s unbelievable but par for the course because it’s Apple.

🌟
sirlance99 11 Years · 1301 comments

lkrupp said:

The researcher recommended updating to High Sierra in the meantime, since "there's a lot of good built-in security features," and there's no protection in remaining on Sierra.
Okay, so the Internet exploded yesterday, @sog35 went ballistic, and Forbes went for the jugular with its incendiary headline over a vulnerability discovered that goes back way before High Sierra. Trolls went forth to announce the evil that is macOS. A routine security report about a vulnerability that will be patched along with a continuing stream of others in due time and it blows up the Internet. Now comes forward the researcher who found this vulnerability to say it’s okay to upgrade to High Sierra because of “a lot good built-in security features”. It’s unbelievable but par for the course because it’s Apple.

Who cares? No reason to get so worked up about it. Much more pressing thing in life. 

🎄
Mcnaugha2 8 Years · 27 comments

I don’t get this... I allow a shady app to bypass Gatekeeper and it can read my keychain... where’s the surprise? Apps being able to read my password manager is the whole point of the password manager. Is this really a thing?

🎅
john.b 16 Years · 2733 comments

Trying to figure out why on Earth I would ever install software on my Mac from a developer who couldn’t be arsed to sign their app, requiring me to turn off Gatekeeper?

🎅
cgWerks 8 Years · 2947 comments

Mcnaugha2 said:
Apps being able to read my password manager is the whole point of the password manager. Is this really a thing?

No... apps shouldn't be able to read your password manager! Your password manager should 'type'/pass the necessary information to the application.

And, THIS is why you should probably get a real password manager, and not depend on a half-baked Apple feature.