Patrick Wardle, an ex-NSA hacker and now head of research at security firm Synack, found a critical zero-day vulnerability in macOS that could allow any installed application to steal usernames and plaintext passwords of online accounts stored in the Mac Keychain.
The macOS Keychain is a built-in password management system that helps Apple users securely store passwords for applications, servers, websites, cryptographic keys and credit card numbers—which can be accessed using only a user-defined master password.
Typically no application can access the contents of Keychain unless the user enters the master password.
"I discovered a flaw where malicious non-privileged code (or apps) could programmatically access the keychain and dump all this data .... including your plain text passwords. This is not something that is supposed to happen!," Wardle said.
Wardle yesterday posted a proof-of-concept video of the exploit, demonstrating how the hack can be used to exfiltrate every single plaintext password from Keychain without requiring the user to enter the master password.
"macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval," said Apple in a statement released today.
"We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents."
Wardle claimed that he reported the issue to Apple last month, and made the public disclosure when the company planned to release High Sierra without fixing the vulnerability, which not only affects the newest version but also older versions of macOS.
Earlier this month Patrick disclosed another flaw in macOS High Sierra's kernel extension SKEL (Secure Kernel Extension Loading) security feature that could allow an attacker to run any third-party at kernel level extension without requiring user approval.