an Ex-NSA hacker dropped a zero-day exploit of macOS High Sierra hours before its launch.
Patrick Wardle, currently working as chief security researcher at Synack, posted a video of the hack — a password exfiltration exploit.
Passwords saved on Mac are stored and protected in Mac’s keychain. However, Wardle has shown that a hacker could steal every password in plain-text using an unsigned app downloaded from the internet, without needing that password.
Wardle tested the exploit on Mac’s new OS: High Sierra, but he also said that older versions of macOS and OS X are also vulnerable.
Here is the video of the attacked, tweeted by Wardle:
The security researcher created a “keychainStealer” app demonstrating a local exploit for the vulnerability, which apparently can expose passwords to websites, services, and credit card numbers when a user is logged in.
That exploit could be included in a legitimate-looking app, or be sent by email.
He reported the bug to Apple earlier this month, “but unfortunately the patch didn’t make it into High Sierra,” he said, which was released Monday.
“As a passionate Mac user, I’m continually disappointed in the security of macOS,” he said. “I don’t mean that to be taken personally by anybody at Apple — but every time I look at macOS the wrong way something falls over. I felt that users should be aware of the risks that are out there I’m sure sophisticated attackers have similar capabilities.”
“Apple marketing has done a great job convincing people that macOS is secure, and I think that this is rather irresponsible and leads to issues where Mac users are overconfident and thus more vulnerable,” he added.
Apple’s response (sent to CNET):
“MacOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.”
Until this is fixed, we wouldn’t download and install any unsigned app if we were you.