A macOS vulnerability discovered by security researcher Patrick Wardle allows any app – signed or unsigned – to extract plain text passwords from Keychain. Wardle demonstrated the exploit with a proof of concept app, seen in the video below.
The vulnerability is a huge one, because Keychain data is secured by 256-bit AES encryption, which should make it virtually uncrackable – and because the bug affects all versions of macOS, including High Sierra …
What is supposed to happen is that only the app authorized to access a particular password can decrypt it. But Wardle demonstrated his app was able to extract and decrypt passwords for Twitter, Facebook, and Bank of America. The app is able to do this without any user intervention.
The demonstration video shows it running in an unsigned app, which are blocked by default in macOS, but Wardle says this was only to demonstrate how low the security bar is set. It works equally well in signed apps.
As a responsible researcher, Wardle reported the vulnerability to Apple on September 7 and will not disclose the method used until Apple has patched it. He told Gizmodo that the company is likely to do so soon.
He also says that this is not a reason to hold off on upgrading to High Sierra: it’s not a newly-introduced bug.
I think everyone should update. There’s a lot of good built-in security features. This attack works on older versions of macOS as well. There’s no reason for people not to upgrade.
Check out the video demo below.
Patrick Wardle is a former NSA staffer who last year demonstrated Mac malware that could tap into live webcam and microphone feeds. He also discovered Mac malware in the wild that allowed access to webcam photos, screenshots and key-logging, and a separate exploit that would let someone with local access to a Mac escalate their privileges to root.