Some Apple Mac users are at risk of password theft due to a zero-day vulnerability discovered in some versions of the operating system.
A vulnerability in High Sierra and earlier versions of Mac OS can be exploited to steal plaintext passwords stored in the Mac keychain, according to security researcher Patrick Wardle.
Although the Mac keychain digital vault is designed to allow access to applications only if the user enters a master password, Wardle discovered a vulnerability that allows rogue apps access to steal passwords.
Wardle, a researcher at security firm Synack and a former US National Security Agency (NSA) employee, posted a video online to support his claim.
The video shows how an attacker on a remote server running the Netcat networking utility can use a rogue app to upload all the passwords stored in a Mac keychain.
The video shows the password theft can be carried out without any user interaction beyond installation of the rogue app and without any warnings from the Mac OS or call for the master password.
Wardle notified Apple of his discovery, but decided to go public after Apple released High Sierra without patching the vulnerability.
Apple said in a statement: “Mac OS is designed to be secure by default, and Gatekeeper [Mac OS security feature] warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval.
“We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that Mac OS presents.”
However, for just $99 a year, attackers could join the Apple Development Program, which would allow them to sign apps with embedded functionality to steal passwords.
Although Apple has a bounty program that pays as much as $200,000 for security vulnerabilities in iOS that runs iPhones and iPads, the company does not have a similar program for Mac OS.
Earlier this month, Wardle blogged about another zero-day vulnerability in High Sierra’s SKEL (secure kernel extension loading) feature that enables attackers to bypass the security feature.
“Unfortunately, when such ‘security’ features are introduced – even if done so with the noblest of intentions – they often just complicate the lives of third-party developers and users without affecting the bad guys (who don’t have to play ‘by the rules’),” he wrote. “High Sierra’s SKEL’s flawed implementation is a perfect example of this.
“Of course, if Apple’s ultimate goal is simply to continue to wrestle control of the system away from its users, under the guise of ‘security’, I’m not sure any of this even matters.”
Leave a Reply