MacOS Zero-Day Flaw Exposes Passwords in Plaintext

A critical flaw in the newly-released version of macOS, High Sierra, allows rogue applications to retrieve passwords in plain text, researchers have discovered.

First spotted by ex-NSA employee Patrick Wardle, a security researcher, the zero-day flaw isn’t restricted to High Sierra (10.13) either, exposing previous versions of Apple’s operating system to password theft. For context, macOS uses Keychain – a password management system that stores a bundle of sensitive information including passwords, credit card details and cryptographic keys. Wardle reveals that the attack appears to work on several versions of macOS, including El Captain, Sierra and High Sierra, three operating systems used by a significant majority of Mac systems.

The exploit requires the end user to install a remote application to embed and trigger the attack. This, however, isn’t hard to pull off as even unsigned applications can trigger a vulnerability with the payload deliverable in a multitude of ways including rogue/hacked versions of legitimate software or even web browsers. By default, macOs doesn’t allow unsigned applications to take flight but a signed application can, at the cost of $99 per year for the Apple Developer Program. Passwords can not only be plundered from Keychain, they can also be exfiltrated without the need for a master password.

“This attack is local, meaning malicious adversaries have to first compromise your mac in some way,” wrote Wardle.

In explaining how users can keep themselves from getting infected, he added:

[B]est bet – don’t get infected. This means run the latest version of macOS and don’t run random apps from emails or the web. Also, this attack requires that the keychain is unlocked. By default the keychain is unlocked when the user logs in. However, you can change the keychain password (so it is not automatically unlocked during login, or (via the Keychain Access app) lock the keychain while you are not using it. 

A video demonstrating the hack can be found below:

Image credit: Pixabay.