Ex-NSA hacker and now head of the investigation at security firm Synack found a critical zero-day vulnerability in macOS that could allow any fixed application to steal usernames and plaintext passwords of online accounts stored in the Mac Keychain.
The macOS Keychain is a created-in password control system that helps Apple users securely cache passwords for applications, servers, websites, cryptographic keys and credit card numbers—which can be located using only a user-defined master password Typically no statement can access the contents of Keychain unless the user enters the master password.
“I discovered a flaw where malicious non-privileged code (or apps) could programmatically access the keychain and dump all this data …. including your plain text passwords. This is not something that is supposed to happen! :(patrick wardle.)
The safety flaw actually resides in macOS’s kernel extension SKEL (Secure Kernel Extension Loading) security feature, which was disclosed earlier this month, allowing an attacker to run any third-party at kernel level extension without requiring user approval.
patrick wardle recently posted a proof-of-concept video of the achievement, demonstrating how the hack can be used to exfiltrate every single plaintext password from Keychain without requiring the user to enter the master password.
Steal y0 (macOS) Keychain from patrick wardle on Vimeo..
This video shows whereby a malicious installed application, signed or unsigned, enabled an attacker to remotely steal all the passwords stored in the keychain and does not notify the user of the attack either.
“macOS is intended to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app outdoors explicit approval,” said Apple in a statement released today.
“We assist users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents.”
patrick wardle maintained that he announced the issue to Apple last month, and made the public disclosure when the company planned to release High Sierra without fixing the vulnerability, which not only affects the newest version but also older versions of macOS.