September 27, 2017 by

MacOS Zero-Day Flaw Exposes Passwords in Plaintext

A critical flaw in the newly-released version of macOS, High Sierra, allows rogue applications to retrieve passwords in plain text, researchers have discovered.

First spotted by ex-NSA employee Patrick Wardle, a security researcher, the zero-day flaw isn’t restricted to High Sierra (10.13) either, exposing previous versions of Apple’s operating system to password theft. For context, macOS uses Keychain – a password management system that stores a bundle of sensitive information including passwords, credit card details and cryptographic keys. Wardle reveals that the attack appears to work on several versions of macOS, including El Captain, Sierra and High Sierra, three operating systems used by a significant majority of Mac systems.

The exploit requires the end user to install a remote application to embed and trigger the attack. This, however, isn’t hard to pull off as even unsigned applications can trigger a vulnerability with the payload deliverable in a multitude of ways including rogue/hacked versions of legitimate software or even web browsers. By default, macOs doesn’t allow unsigned applications to take flight but a signed application can, at the cost of $99 per year for the Apple Developer Program. Passwords can not only be plundered from Keychain, they can also be exfiltrated without the need for a master password.

“This attack is local, meaning malicious adversaries have to first compromise your mac in some way,” wrote Wardle.

In explaining how users can keep themselves from getting infected, he added:

[B]est bet – don’t get infected. This means run the latest version of macOS and don’t run random apps from emails or the web. Also, this attack requires that the keychain is unlocked. By default the keychain is unlocked when the user logs in. However, you can change the keychain password (so it is not automatically unlocked during login, or (via the Keychain Access app) lock the keychain while you are not using it. 

A video demonstrating the hack can be found below:

Image credit: Pixabay.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Apple Partners Allianz to Offer CyberCrime Insurance Perks

A new partnership between Apple, Cisco and insurance firm Allianz SE will see businesses using...

Read more arrow_forward

Happy New Year: Researcher Drops MacOS Zero-Day Root Access Kernel Exploit

To ring in the new year, a security researcher on New Year’s Day disclosed an unpatched security...

Read more arrow_forward

Apple Pushes Update to Fix Major Mac OS Vulnerability

Apple has issued an emergency patch after admitting to a major security flaw that enabled anyone to...

Read more arrow_forward