Skip to main content

Major macOS (incl. High Sierra) Keychain password extraction vulnerability to be addressed by Apple in update [Video]

A macOS vulnerability discovered by security researcher Patrick Wardle allows any app – signed or unsigned – to extract plain text passwords from Keychain. Wardle demonstrated the exploit with a proof of concept app, seen in the video below.

The vulnerability is a huge one, because Keychain data is secured by 256-bit AES encryption, which should make it virtually uncrackable – and because the bug affects all versions of macOS, including High Sierra …

What is supposed to happen is that only the app authorized to access a particular password can decrypt it. But Wardle demonstrated his app was able to extract and decrypt passwords for Twitter, Facebook, and Bank of America. The app is able to do this without any user intervention.

The demonstration video shows it running in an unsigned app, which are blocked by default in macOS, but Wardle says this was only to demonstrate how low the security bar is set. It works equally well in signed apps.

As a responsible researcher, Wardle reported the vulnerability to Apple on September 7 and will not disclose the method used until Apple has patched it. He told Gizmodo that the company is likely to do so soon.

He also says that this is not a reason to hold off on upgrading to High Sierra: it’s not a newly-introduced bug.

I think everyone should update. There’s a lot of good built-in security features. This attack works on older versions of macOS as well. There’s no reason for people not to upgrade.

Check out the video demo below.

Patrick Wardle is a former NSA staffer who last year demonstrated Mac malware that could tap into live webcam and microphone feeds. He also discovered Mac malware in the wild that allowed access to webcam photos, screenshots and key-logging, and a separate exploit that would let someone with local access to a Mac escalate their privileges to root.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear