A particularly insidious Mac security threat was revealed just as macOS High Sierra was released on Monday prompting warnings to avoid Apple’s new operating system. The security flaw, called keychainStealer, could expose your Keychain passwords, but it isn’t limited to High Sierra, and isn’t a reason to not upgrade.
Synack security researcher Patrick Wardle demonstrated the flaw showing how a potential attacker could gain access to your stored passwords. His demonstration involved installing an unsigned app on a Mac that dumps the content of your Keychain database to a plain text file.
on High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext passwords)🍎🙈😭 vid: https://t.co/36M2TcLUAn #smh pic.twitter.com/pqtpjZsSnq
— patrick wardle (@patrickwardle) September 25, 2017
Wardle told Forbes,
Without root priveleges, if the user is logged in, I can dump and exfiltrate the keychain, including plaintext passwords. Normally you are not supposed to be able do that programmatically.
Gizmodo reports Wardle alerted Apple to the threat on September 7th, and a patch is likely already in the works.
While the threat is real, it isn’t one most Mac users are likely to encounter. First, it isn’t a threat that’s in the wild—at least not yet. Second, it requires users to install an app that should trigger a GateKeeper alert because it isn’t signed with a valid developer certificate.
Apple addressed that in a statement to Macworld saying,
macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.
Finally, keychainStealer assumes the user is logged into their Mac and are using the same password for their user account and Keychain database. If your Keychain password is different from your Mac login password, the hack doesn’t work.
If you aren’t upgrading to macOS High Sierra specifically because of keychainStealer you aren’t doing anything to protect yourself because the same threat exists in earlier macOS versions, too. Plus, macOS High Sierra has other security improvements you get until you upgrade.
The real reason to wait to install macOS High Sierra is because critical apps you need to do your job aren’t compatible yet, or you’re in the middle of a client or work project.
If your keychain password is different from your login password, your Mac will repeatedly ask you to type in your keychain password, whenever an app need it. Changing the keychain password is therefore not a desirable long-term solution. Apple needs to fix this vulnerability.
Valid signed apps also have access to all your Keychain passwords via this bug – so Gatekeeper won’t necessarily flag a warning. That would require a “trusted developer’s” app packing malware, but that has happened. So don’t get too comfortable till Apple patches this bug.
So if I download an unsigned, unauthorized app, and bypass the warning, I can expose myself to danger. Definitely an Apple bug!