Apple’s macOS High Sierra release has been marred by a former NSA hacker who revealed a serious zero day security flaw lurking within the software. He claims even previous versions of the OS are exposed to attacks, so refusing to upgrade wouldn’t serve as a safeguard.
Patrick Wardle, currently working as the chief security researcher at Synack, tweeted a video of a ‘keychainStealer’ app he made to demonstrate the issue. He believes that macOS High Sierra is vulnerable to an exploitable implementation flaw which allows unsigned applications, such as those downloaded from the web or an email, to dump and exfiltrate your keychain.
Apple’s Keychain feature stores all your passwords and requires a master login password. However, keychainStealer was able to bypass this as seen in the video below. The exploit can steal your plaintext passwords for websites, credit card numbers, and services.
Wardle claims he told Apple about the problem in September. However, there doesn’t appear to be any patch for it in macOS High Sierra. Worryingly, it appears to be the second zero-day he’s found in this month alone, with the first taking advantage of the software’s secure kernel extension loading feature.
Apple later released on a statement on the matter, telling CNET that macOS’ Gatekeeper warns users against installing unsigned apps and stops them from opening the application without explicit approval. It encouraged users to download software only from trusted sources and pay attention to security dialogs.
Also Read: Apple rolls out macOS High Sierra
While this is good advice in general, it doesn’t exactly solve the issue itself. Individuals may just ignore all the warning signs and open the app anyway. Apple didn’t state whether it would roll out a fix for the flaw in the future, but hopefully all the bad press will prompt it to do so.