MacOS can be exploited to reveal keychain passwords, researcher warns

News by Bradley Barth

Launched just days ago, the latest release of Apple's operating system for Macs contains a known zero-day vulnerability that could allow attackers to exfiltrate passwords from the user's keychain.

Also in:

Launched just days ago, the latest release of Apple's operating system for Macs contains a known zero-day vulnerability that could allow attackers to exfiltrate passwords from the user's keychain.

The flaw is also in older versions of macOS, so Mac users are are affected regardless of whether or not they upgraded their systems. Patrick Wardle, chief security researcher at Synack and founder of Objective-See, says he reported the bug to Apple in early September, but not in time for it to be addressed by macOS version 10.13, also known as High Sierra.

Essentially a password manager, the Mac keychain stores users' passwords for their computer, servers, apps, and various websites and online services. Normally, its contents are accessible only by entering a master password. However, for research purposes, Wardle created an application that exploits an unidentified vulnerability in order to force the keychain to spill its secrets.

"On High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext password)," warned Wardle in a tweet on Monday, linking to a video of his application in action.

In an interview with SC Media, Wardle said he was withholding details of the vulnerability until Apple is able to patch it. "I will say the vulnerability is an implementation flaw in the operating system," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events