Some Mac users at risk of password theft after 0-day vulnerability discovered

William Gayde

TS Addict
Staff member

A vulnerability in High Sierra and previous versions of macOS has been discovered that allows hackers to steal passwords in plaintext from the operating system's keychain. The announcement comes on the same day that the operating system update was released to the public. A video demonstrating the hack was posted online by former NSA hacker Patrick Wardle.

The macOS keychain is built-in software that stores a user's passwords and typically user programs can't access the contents of it unless a master password is entered. The vulnerability is able to exploit a weakness in the keychain which allows it to exfiltrate every single plaintext password without requiring entry of the master password.

The malicious software automatically uploads the stolen keys to a server and requires no user interaction beyond the initial installation. The app runs silently and the operating system does not notify the user of the attack either. The malware is, of course, not signed by Apple, so most users would get a warning when attempting to install this and run it in the first place. However, a membership to the Apple Development Program costs only $99 a year and would allow the hacker to digitally sign the app.

Here is Apple's official statement on the matter:

macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents.

Wardle notified Apple of the vulnerability weeks ago but has since made the attack public after Apple released High Sierra without patching it. While Apple pays up to $200,000 for iOS bugs, there is currently no bounty program for macOS.

Permalink to story.

 

Theinsanegamer

TS Evangelist
"Here is Apple's official statement on the matter:

macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents.

Wardle notified Apple of the vulnerability weeks ago but has since made the attack public after Apple released High Sierra without patching it. While Apple pays up to $200,000 for iOS bugs, there is currently no bounty program for macOS."

This is code for "we dont care about our users, stay in our walled garden or bad things will happen" or more likely " we dont want to spend money fixing an OS that makes only a tiny portion of our ridiculous profits"
 
  • Like
Reactions: OutlawCecil

GregonMaui

TS Booster
"Here is Apple's official statement on the matter:

macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents.

Wardle notified Apple of the vulnerability weeks ago but has since made the attack public after Apple released High Sierra without patching it. While Apple pays up to $200,000 for iOS bugs, there is currently no bounty program for macOS."

This is code for "we dont care about our users, stay in our walled garden or bad things will happen" or more likely " we dont want to spend money fixing an OS that makes only a tiny portion of our ridiculous profits"
A great emotional response. but, after employing the thinking side of the brain, one is struck by the intent of the comments, "If you don't use the built in security, well golly, you are less secure". Its true Apple should fix this, and is probably working on it, the real question is what is the reason they didn't get the fix done, or is it just a low risk if you run with security turned on. I guess we will have to see how long the fix takes to get released and to read Apple's comment. They might just be more knowledgeable than some random people writing comments who are totally unaware of the details.
 

OutlawCecil

TS Evangelist
Wardle notified Apple of the vulnerability weeks ago but has since made the attack public after Apple released High Sierra without patching it.
This reminds me of the article I read a while back that made me laugh. Something about Google finding a vulnerability in Windows and informing Microsoft. Then after months have passed, Microsoft left it unpatched so Google posted it publicly and Microsoft blew their lid. They went off saying it's all Google's fault for finding and pointing out the vulnerability.
 

Theinsanegamer

TS Evangelist
"Here is Apple's official statement on the matter:

macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents.

Wardle notified Apple of the vulnerability weeks ago but has since made the attack public after Apple released High Sierra without patching it. While Apple pays up to $200,000 for iOS bugs, there is currently no bounty program for macOS."

This is code for "we dont care about our users, stay in our walled garden or bad things will happen" or more likely " we dont want to spend money fixing an OS that makes only a tiny portion of our ridiculous profits"
A great emotional response. but, after employing the thinking side of the brain, one is struck by the intent of the comments, "If you don't use the built in security, well golly, you are less secure". Its true Apple should fix this, and is probably working on it, the real question is what is the reason they didn't get the fix done, or is it just a low risk if you run with security turned on. I guess we will have to see how long the fix takes to get released and to read Apple's comment. They might just be more knowledgeable than some random people writing comments who are totally unaware of the details.
the "thinking side of the brain" would also point out, in its everlasting snarkiness, that just because this exploit was done with an app from outside the walled garden, does not mean that an app inside the garden couldnt be used for the same purpose. Apple has let malicious app updates slip before.

Saying "well use the walled garden" is not a proper excuse for not fixing an exploit.