A vulnerability in High Sierra and previous versions of macOS has been discovered that allows hackers to steal passwords in plaintext from the operating system's keychain. The announcement comes on the same day that the operating system update was released to the public. A video demonstrating the hack was posted online by former NSA hacker Patrick Wardle.
The macOS keychain is built-in software that stores a user's passwords and typically user programs can't access the contents of it unless a master password is entered. The vulnerability is able to exploit a weakness in the keychain which allows it to exfiltrate every single plaintext password without requiring entry of the master password.
The malicious software automatically uploads the stolen keys to a server and requires no user interaction beyond the initial installation. The app runs silently and the operating system does not notify the user of the attack either. The malware is, of course, not signed by Apple, so most users would get a warning when attempting to install this and run it in the first place. However, a membership to the Apple Development Program costs only $99 a year and would allow the hacker to digitally sign the app.
Here is Apple's official statement on the matter:
macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents.
Wardle notified Apple of the vulnerability weeks ago but has since made the attack public after Apple released High Sierra without patching it. While Apple pays up to $200,000 for iOS bugs, there is currently no bounty program for macOS.