Password-theft 0day imperils users of High Sierra and earlier macOS versions

There’s a vulnerability in High Sierra and earlier versions of macOS that allows rogue applications to steal plaintext passwords stored in the Mac keychain, a security researcher said Monday. That’s the same day the widely anticipated update was released.

The Mac keychain is a digital vault of sorts that stores passwords and cryptographic keys. Apple engineers have designed it so that installed applications can’t access its contents without the user entering a master password. A weakness in the keychain, however, allows rogue apps to steal every plaintext password it stores with no password required. Patrick Wardle, a former National Security Agency hacker who now works for security firm Synack, posted a video demonstration here.

The video shows a Mac virtual machine running High Sierra as it installs an app. Once the app is installed, the video shows an attacker on a remote server running the Netcat networking utility. When the attacker clicks “exfil keychain” button, the app surreptitiously exfiltrates all the passwords stored in the keychain and uploads them to the server. The theft requires no user interaction beyond the initial installation of the rogue app, and neither the app nor macOS provides any warning or seeks permission.

An Apple representative e-mailed the following statement:

macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents.

Continually disappointed

By default, Gatekeeper prevents Mac users from installing apps unless they’re digitally signed by developers. While the app in the video is unsigned—and as a result can’t be installed on a default Mac installation—the vulnerability can be exploited by signed apps as well. All that’s required to digitally sign an app is a membership in the Apple Developer Program, which costs $99 per year. Wardle reported the vulnerability to Apple last month and decided to make the disclosure public when the company released High Sierra without fixing it first.

“As a passionate Mac user, I’m continually disappointed in the security of macOS,” Wardle told Ars. “I don’t mean that to be taken personally by anybody at Apple—but every time I look at macOS the wrong way something falls over. I felt that users should be aware of the risks that are out there.”

Wardle said Apple would be served well by implementing a bug bounty program for macOS. Last year, the company established a bounty program that pays as much as $200,000 for security bugs in iOS that runs iPhones and iPads. Apple has declined to pay researchers for private reports of security flaws in macOS. Earlier this month, Wardle published details of a second unfixed bug in High Sierra.

Do you have an unusual story to tell? E-mail