macOS High Sierra Vulnerability Allegedly Allows Malicious Third-Party Apps to Access Plaintext Keychain Data

by

macOS High Sierra, released to the public today, could be impacted by a major security flaw that could allow a hacker to steal the usernames and passwords of accounts stored in Keychain.

As it turns out, unsigned apps on macOS High Sierra (and potentially earlier versions of macOS) can allegedly access the Keychain info and display plaintext usernames and passwords without a user's master password.

Security researcher and ex-NSA analyst Patrick Wardle tweeted about the vulnerability early this morning and shared a video of the exploit in action.


For this vulnerability to work, a user needs to download malicious third-party code from an unknown source, something Apple actively discourages with warnings about apps downloaded outside of the Mac App Store or from non-trusted developers. In fact, Apple does not even allow apps from non-trusted developers to be downloaded without explicitly overriding security settings.

As demonstrated in the video above, Wardle created a proof-of-concept app called "keychainStealer" that was able to access plaintext passwords stored in Keychain for Twitter, Facebook, and Bank of America. Wardle spoke to Forbes about the vulnerability and said it's actually not hard to get malicious code running on a Mac even with Apple's protections in place.

keychainpasswordexploit

"Without root priveleges, if the user is logged in, I can dump and exfiltrate the keychain, including plaintext passwords," Wardle told Forbes. "Normally you are not supposed to be able do that programmatically."

"Most attacks we see today involve social engineering and seem to be successful targeting Mac users," he added. "I'm not going to say the [keychain] exploit is elegant - but it does the job, doesn't require root and is 100% successful."

Wardle has not provided the full exploit code for malicious entities to take advantage of, and he believes Apple will patch the problem in a future update.

As Wardle has not released the full exploit code, it has not been double-checked by MacRumors or another source, so full details on the vulnerability are not known just yet.

Apple has not yet responded to requests for comment about the potential vulnerability.

Related Forum: macOS High Sierra

Popular Stories

airpods 4 blue

Apple Finally Explains How to Install New Firmware on Your AirPods

Monday January 27, 2025 11:17 am PST by
Apple regularly releases new firmware for the AirPods, AirPods Pro, and AirPods Max, but the company has historically provided limited information on how to initiate an update. That changed today, and Apple updated its AirPods firmware support page with more specific instructions. Prior to today, here's what Apple said on the subject: Firmware updates are delivered automatically while your...
Read Full Article58 comments
iPhone 17 Pro Dual Tone Horizontal 1

iPhone 17 Pro Launching This Year With These 8 New Features

Tuesday January 28, 2025 11:48 am PST by
While the iPhone 17 Pro and iPhone 17 Pro Max are not expected to launch until September, there are already plenty of rumors about the devices. iPhone 17 Pro concept based on rumors Below, we recap key changes rumored for the iPhone 17 Pro models as of January 2025: More aluminum: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and iPhone 16 Pro models ...
Read Full Article
iOS 18

iOS 18.3 Available as Soon as Today With These New Features

Monday January 27, 2025 6:35 am PST by
Update: Apple has released iOS 18.3. In its press release unveiling a new Black Unity Sport Loop for the Apple Watch today, Apple confirmed that iOS 18.3 is "upcoming." According to Bloomberg's Mark Gurman, Apple Stores are being instructed to update the software on demo devices today, so iOS 18.3 should be released either today or within the next few days. Below, we recap everything new...
Read Full Article19 comments
tvOS 18 Thumb 3

Apple Releases tvOS 18.3

Monday January 27, 2025 10:00 am PST by
Apple today released tvOS 18.3, the newest version of the tvOS 18 operating system that came out in September. tvOS 18.3 comes more than a month after Apple released tvOS 18.2, and it is available for the Apple TV 4K and the Apple TV HD models. tvOS 18.3 can be downloaded using the Settings app on the ‌Apple TV‌. Open up Settings and go to System > Software Update to get the new software....
Read Full Article20 comments
iOS 18

Apple Releases iOS 18.3 With Visual Intelligence and Notification Summary Improvements

Monday January 27, 2025 10:04 am PST by
Apple today released iOS 18.3 and iPadOS 18.3, the third major updates to the iOS 18 and iPadOS 18 software that came out last year. iOS 18.3 and iPadOS 18.3 come six weeks after Apple released iOS 18.2 and iPadOS 18.2. The new software can be downloaded on eligible iPhones and iPads over-the-air by going to Settings > General > Software Update. Apple has also released iPadOS 17.7.4 for...
Read Full Article113 comments
M6 MacBook Pro Feature 1

5 Reasons to Wait for Next Year's MacBook Pro

Monday January 27, 2025 4:25 am PST by
Apple in October 2024 overhauled its 14-inch and 16-inch MacBook Pro models, adding M4, M4 Pro, and M4 Max chips, Thunderbolt 5 ports on higher-end models, display changes, and more. That's quite a lot of updates in one go, but if you think this means a further major refresh for the MacBook Pro is now several years away, think again. Bloomberg's Mark Gurman has said he expects only a small...
Read Full Article110 comments
ipad january sale

Amazon's New iPad Sale Has Up to $300 Off M4 iPad Pro, M2 iPad Air, and iPad Mini 7

Tuesday January 28, 2025 7:32 am PST by
Today we're tracking a few iPad discounts on Amazon, including the new iPad mini 7, M2 iPad Air, and M4 iPad Pro. These deals include multiple all-time low prices on Apple's tablets, matching the prices we tracked over the holiday season in many cases. Note: MacRumors is an affiliate partner with Amazon. When you click a link and make a purchase, we may receive a small payment, which helps us...
Read Full Article28 comments

Top Rated Comments

DblHelix Avatar
DblHelix
96 months ago
Would have been great if he contacted Apple before the OS was released. Just looking for attention. Jerk
Score: 58 Votes (Like | Disagree)
sequential Avatar
sequential
96 months ago
Would have been great if he contacted Apple before the OS was released. Just looking for attention. Jerk
1. Would have been even greater if Apple had ppl who found these kind of bugs themselves before release.
2. You don't know if he found this yesterday. But sure hate on the guy who might have prevented your bank account password from ending up in the wrong hands.
Score: 52 Votes (Like | Disagree)
bladerunner2000 Avatar
bladerunner2000
96 months ago
On release day. That's embarrassing.
Score: 38 Votes (Like | Disagree)
carlsson Avatar
carlsson
96 months ago
OMG, to enable this software you have to enter System Preferences, answer YES on two dialogues, and also enter your password. Then it may STEAL your not encoded things stored in the keychain (by default everything is stored encoded). I think I'm going to Windows now. This is just too much!!!

/irony ended
Score: 34 Votes (Like | Disagree)
s15119 Avatar
s15119
96 months ago
sigh. don't download junk, don't jeopardize your computer. Common sense is the best anti-virus.
Score: 21 Votes (Like | Disagree)
bladerunner2000 Avatar
bladerunner2000
96 months ago
If he did find it yesterday, he should have disclosed it to Apple and given them 90 days to fix it.
He doesn't owe Apple anything. Just like Apple doesn't owe him anything. He did them a favour.
Score: 19 Votes (Like | Disagree)
Read All Comments