The newly released macOS High Sierra comes with a lot of new features—and at least one massive zero-day exploit.
Discovered by former NSA hacker Patrick Wardle, the exploit allows an attacker to steal the entire contents of a macOS Keychain in plain text. To make matters even worse, Wardle was able to steal passwords using an unsigned app downloaded and installed from the internet.
As if a flaw that lets hackers get at the entire contents of your Keychain password vault isn't bad enough, it's not just High Sierra that's vulnerable: Older versions of macOS and OS X can be exploited in the same way.
How to steal a Keychain
Password management: We take it for granted in an age where the average person has around 130 online accounts that require password access. Without master passwords and secure credentials storage we would all have to spend a lot more time trying to remember which password goes to which site.
Implicit in the popularity of password management is trusting that your system of choice is secure. If not, it's completely useless as a security tool.
SEE: Apple's iCloud Keychain: The smart person's guide (TechRepublic)
macOS has a built-in password manager called Keychain that is incredibly convenient, and most people don't give much thought to using it. It stores passwords, encryption keys, credit card data—everything you don't want to think about when browsing.
But Wardle discovered that the Keychain isn't as secure as you may think—and that's a huge problem.
The app that Wardle built can snag the entire contents of a macOS Keychain when someone runs the app and types a simple command into the terminal. Wardle's app requires manual execution, but he told ZDNet that there's no reason it couldn't be reworked to be a hidden process in a legitimate-looking app.
In a statement to CNET, Apple said that users who don't download apps from untrusted sources won't have to worry:
"MacOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents."
SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
In brief, Gatekeeper is the solution to your problems: It won't let unsigned apps be installed unless you let it, so don't. That's all well and good if Gatekeeper can be trusted, but we've already seen malware containing stolen Apple certificates in the wild.
Stolen certificates plugged into illegitimate apps allows attackers to bypass Gatekeeper without getting a second glance. If cybercriminals can duplicate Wardle's work then there's no reason they can't sneak it into a falsely signed app as well.
More security problems for Apple
This latest security issue is another in a concerning string of exploit revelations pertaining to Apple software. iOS is transmitting Exchange credentials in plain text, the Secure Enclave has been hacked, and dozens of iOS apps allow man-in-the-middle intercepts.
SEE: 2017 IT Security & Ethical Hacking Certification Training (TechRepublic Academy)
"Every time I look at macOS the wrong way something falls over," Wardle said. He added that Apple marketing has done a great job of convincing consumers that its products are secure. Recent revelations speak to the contrary, though: Apple has a security problem.
The more exploits that come to light, the more it seems like Apple isn't taking security seriously. That may not be causing a huge problem for the company now, but our lives are becoming increasingly digital. That means more passwords, biometrics, and exploit targets.
Will you be willing to settle into an ecosystem with a shaky security reputation when your entire digital life, and perhaps that of your company's, is on the line?
The top three takeaways for TechRepublic readers:
- A former NSA hacker found a serious flaw in macOS High Sierra: It's possible to steal the entire contents of the Keychain with an unsigned app. The exploit also works in older versions of macOS.
- The exploit could be hidden in legitimate-looking apps, allowing attackers to steal and transmit sensitive password, encryption key, and credit card information.
- This is another in a string of security issues for Apple. IT professionals need to consider whether Apple devices are the best choice for operational security.
- Worried about identity theft? Then you should avoid these password pitfalls (TechRepublic)
- Apple fixes dozens of security bugs for iPhones, Macs (ZDNET)
- The real reason companies don't take security seriously: Their money isn't on the line (TechRepublic)
- How to protect your Apple iCloud account (ZDNET)
- Identity theft protection policy (Tech Pro Research)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.