The flaw is also in older versions of macOS, so Mac users are are affected regardless of whether or not they upgraded their systems. Patrick Wardle, chief security researcher at Synack and founder of Objective-See, says he reported the bug to Apple in early September, but not in time for it to be addressed by macOS version 10.13, also known as High Sierra.
Essentially a password manager, the Mac keychain stores users' passwords for their computer, servers, apps, and various websites and online services. Normally, its contents are accessible only by entering a master password. However, for research purposes, Wardle created an application that exploits an unidentified vulnerability in order to force the keychain to spill its secrets.
In an interview with SC Media, Wardle said he was withholding details of the vulnerability until Apple is able to patch it. "I will say the vulnerability is an implementation flaw in the operating system," he added.