BREAKING: Zero Day Bug In macOS High Sierra Can Facilitate Password Theft [UPDATE: Fixed]
On the day that Apple decided to drop it’s latest and greatest OS which is macOS High Sierra, comes this bombshell from Patrick Wardle who a former NSA hacker who now serves as chief security researcher at Synack:
on High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext passwords)🍎🙈😭 vid: https://t.co/36M2TcLUAn #smh pic.twitter.com/pqtpjZsSnq
— Patrick Wardle (@patrickwardle) September 25, 2017
Let me translate this for you. He has a proof of concept attack using an unsigned app that exploits a hole in macOS High Sierra that facilitates the theft of any or all of your passwords that are stored in the Keychain app.
Yikes!
Now Apple hasn’t responded to this zero day threat, but to be frank it has to respond. This is not a trivial issue and this can be a major threat to anyone who upgrades to this OS which was released an hour ago as I type this story. The other side of the fence is that because it requires the use of an unsigned app to get pwned, being careful should keep you safe. But regardless of which side of the fence you happen to agree with, Apple needs to get a fix for this out there now. Until then, you have to question if upgrading to Apple’s latest and greatest is a good idea.
UPDATE: This is now fixed. Details here.
September 26, 2017 at 9:47 am
[…] is there a reason that you shouldn’t upgrade to High Sierra? Frankly, other than this security hole, if your Mac support High Sierra (which any Mac that ran Sierra will), then this is a worthwhile […]
November 29, 2017 at 9:07 am
[…] has been slipping for a while. For example, around the time that macOS High Sierra shipped, there was a zero day bug that was discovered that allowed for password theft. Shortly after that another horrible security hole that Apple had to quickly patch appeared. Both […]