Just prior to the release of MacOS High Sierra, an Ex-NSA employee reveals a vulnerability that allows an unsigned application to reveal your entire keychain, which stores information such as credit card numbers and website passwords.While the security researcher by the name of Patrick Wardle now works for a security research firm by the name of Synack, that didn’t stop him from releasing a demo showcasing this vulnerability in action.
on High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext passwords)🍎🙈😭 vid: https://t.co/36M2TcLUAn #smh pic.twitter.com/pqtpjZsSnq
— patrick wardle (@patrickwardle) September 25, 2017
For a company that takes pride in creating arguably the most high-security devices and operating systems on the market, it’s bad enough that the entire keychain can be siphoned from somebody’s machine, but completely unacceptable that they were able to access it in plaintext.
Wardle goes on to say,
“If I was an attacker or designing an macOS implant, this would be the ‘dump keychain’ plugin,” (…)
“I reported it to Apple, but unfortunately the patch didn’t make it into High Sierra,”
Apple didn’t yet respond to any comment, although it is likely they have either already patched this issue, or have fixed it entirely.
Source: ZDNet