Normally, passwords stored in a Mac Keychain vault require a master password for access. Now, attackers can steal Keychain passwords without it.
Just hours after the launch of Mac OS X High Sierra, a security researcher has identified and released a zero-day exploit of the new OS revision that can allow an attacker unfettered access to your keychain file.
Patrick Wardle, a former NSA hacker who now serves as chief security researcher at Synack, posted a video of the password exfiltration exploit in action:
Passwords are stored in the Mac’s Keychain, which typically requires a master login password to access the vault. But Wardle has shown that the vulnerability allows an attacker to grab and steal every password in plaintext using an unsigned app downloaded from the internet, without needing that password. Wardle tested the exploit on High Sierra, but said that older versions of macOS and OS X are also vulnerable.
Wardle created a “keychainStealer” app demonstrating a local exploit for the vulnerability, which according to the video, can expose passwords to websites, services, and credit card numbers when a user is logged in. That exploit could be included in a legitimate-looking app or sent by email.
If I was an attacker or designing a macOS implant, this would be the ‘dump keychain’ plugin.
Patrick Wardle, former NSA hacker and Chief Security Researcher at Synack
He reported the bug to Apple earlier this month, but the patch didn’t make it into High Sierra, which was released Monday.
Apple marketing has done a great job convincing people that macOS is secure, and I think that this is rather irresponsible and leads to issues where Mac users are overconfident and thus more vulnerable.
Patrick Wardle, former NSA hacker and Chief Security Researcher at Synack
Apple has not said if or when it will patch the bug. As such, ServerCentral recommends that anyone using Mac OS X devices do not install unsigned software. We also recommend not upgrading to High Sierra until Apple has identified and released a patch.