Some Apple Mac users are at risk of password theft due to a zero-day vulnerability discovered in some versions of the operating system.
Although the Mac keychain digital vault is designed to allow access to applications only if the user enters a master password, Wardle discovered a vulnerability that allows rogue apps access to steal passwords.
The video shows how an attacker on a remote server running the Netcat networking utility can use a rogue app to upload all the passwords stored in a Mac keychain.
The video shows the password theft can be carried out without any user interaction beyond installation of the rogue app and without any warnings from the Mac OS or call for the master password.
Wardle notified Apple of his discovery, but decided to go public after Apple released High Sierra without patching the vulnerability.
Apple said in a statement: “Mac OS is designed to be secure by default, and Gatekeeper [Mac OS security feature] warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval.
“We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that Mac OS presents.”
However, for just $99 a year, attackers could join the Apple Development Program, which would allow them to sign apps with embedded functionality to steal passwords.
Although Apple has a bounty program that pays as much as $200,000 for security vulnerabilities in iOS that runs iPhones and iPads, the company does not have a similar program for Mac OS.
“Unfortunately, when such ‘security’ features are introduced – even if done so with the noblest of intentions – they often just complicate the lives of third-party developers and users without affecting the bad guys (who don’t have to play ‘by the rules’),” he wrote. “High Sierra’s SKEL’s flawed implementation is a perfect example of this.
“Of course, if Apple’s ultimate goal is simply to continue to wrestle control of the system away from its users, under the guise of ‘security’, I’m not sure any of this even matters.”