Apple’s latest and greatest operating system, macOS High Sierra, hit the digital airwaves on September 25 — promising a free upgrade to Macs around the world with at least 2GB of memory. And while the OS is chock-full of exciting new features, it’s the vulnerabilities that have at least one security researcher excited.
That’s because it turns out that, with just a little bit of effort, hackers can steal all your passwords off a computer running High Sierra. Which, frankly, is not a good look for Apple.
According to security researcher Patrick Wardle, he was able to run an unsigned app on the new OS that could steal plaintext passwords. He posted evidence of his proof of concept to Twitter, and included a link to a video demonstrating an app he dubbed “keychainStealer.”
“I discovered a flaw where malicious non-privileged code (or apps) could programmatically access the keychain and dump all this data …. including your plain text passwords,” he explained on Patreon. “This is not something that is supposed to happen!”
Importantly, he noted that while he has only tested High Sierra, it appears that El Capitan is vulnerable as well. But the news isn’t all bad, as Wardle emphasized that for this to work your computer would first have to be infected with malware.
“As this is a local attack, this means a hacker or piece of malware must first infect your your Mac,” Wardle reassured concerned readers. “Typical ways to accomplish this include emails (with malicious attachments), fake web popups (“your Flash player needs updating”), or sometimes legitimate application websites are hacked (e.g. Transmission, Handbrake, etc).”[embedded content]
Apple, for its part, isn’t that impressed with the exploit — although a spokesperson confirmed they are looking into it.
“macOS is designed to be secure by default, and [Apple security feature] Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval,” the spokesperson told Mashable via email. “We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.”
i just mentioned non-signed apps to show how low the bar is set….meaning, you don’t even have to be signed 😭 Signed apps work too
— patrick wardle (@patrickwardle) September 26, 2017
Wardle, meanwhile, is thankfully not looking to steal all your passwords. Instead, he contacted Apple about the exploit before going public and believes the company’s engineers are in the process of patching the High Sierra holes.
“As my discovery of this bug and report (in early September) was ‘shortly’ before High Sierra’s release, this did not give Apple enough time to release a patch on time,” he wrote. “However, my understanding is a patch will be forthcoming!”
Essentially, it all boils down to this: Don’t download sketchy apps, and make sure you always update your OS to the latest version in order to receive any and all patches. And, regardless of the specific threat posed by Wardle’s findings, that’s some basic security advice to live by.