Apple just launched macOS High Sierra, a Mac update that brings over several security improvements, including a new ad tracker blocker in Safari. But it also carried over a significant safety issue that would let any rogue app steal all the passwords you’ve saved in Keychain without your knowledge or any user interaction.
If you think that sticking with Sierra, for the time being, will fix it, you should know that older macOS versions are also susceptible to the same attack. You’re much better off upgrading to the latest macOS version.
The security threat was first discovered by a former NSA employee who found similar macOS security problems in the past. Patrick Wardle informed Apple about the issue on September 7th, and a patch should fix it in the near future. The security expert said he won’t reveal how the flaw works until Apple fixes it.
— patrick wardle (@patrickwardle) September 25, 2017
“Applications running on your system are able to access all the information in the Keychain without any user interaction,” Wardle told Gizmodo . “There’s a vulnerability that allows local code to access the keychain and bypass the security components.”
“If I can find these bugs, obviously nation states, malicious adversaries, and cybercriminals have tons more time and resources. I’m sure they’re finding these bugs as well,” he added.
That said, Wardle did say that it’s better to upgrade to High Sierra right now than waiting for the fix.
Apple, meanwhile, reminded Gizmodo that “macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogues that macOS presents.”
Until a fix is available, you should avoid installing any unsigned apps from shady sources, just like Apple says. If you have any installed, you should revisit your Keychain, and change the passwords saved in it. Then, you could also consider protecting Keychain with a password that’s different from your user login password. Finally, using a different password management fixes the problem, as you’re effectively replacing Keychain with something else.
A video showing the hack in action follows below: