Unsigned Apps Can Steal macOS Keychain Passwords

Just as Apple launched the latest version of macOS, High Sierra 10.13, a researcher published a video to show how unsigned applications can steal data from the operating system’s Keychain password management system.

Patrick Wardle, director of research at Synack, revealed on Monday that High Sierra and previous versions of macOS are vulnerable. The video made by the expert shows how an unsigned application can programmatically dump and exfiltrate sensitive data from the Keychain, including plaintext passwords, without needing the master password.

The attack does require the targeted user to download and execute a malicious application, and ignore the warnings displayed when a program from an unidentified developer is being launched. However, the attack does not require root permissions.

Apple has been informed of the vulnerability and provided proof-of-concept (PoC) code. Wardle has not made public any technical details to prevent malicious actors from exploiting the flaw.

Until a patch may become available, Apple has advised customers to download software only from trusted sources and pay attention to the security warnings displayed by the operating system.

Over the past years, researchers have found several vulnerabilities that could have allowed hackers to steal keychain secrets, and Apple, in most cases, released patches or made changes to prevent attacks.

This is not the only High Sierra vulnerability discovered by Wardle in recent weeks. Earlier this month, he demonstrated how attackers can bypass the new Secure Kernel Extension Loading (SKEL) security feature introduced in the latest version of macOS.

The researcher has found several vulnerabilities and design flaws in Apple software in recent years, including ways to bypass the Gatekeeper security system, abuse legitimate apps to spy on users, and conduct DLL hijacking attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *