Patrick Wardle, an ex-NSA hacker who now works as a chief security researcher at Synack, posted a video of the hack a password exfiltration exploit in action.
Passwords are saved in the Mac’s Keychain, which typically needs a master login key to access the vault.
But Wardle has confirmed that the vulnerability enables an attacker to grab and steal every key in plain-text using an unsigned app downloaded from the internet, without requiring that password.
Wardle tested the escapade on High Sierra but said that older versions of macOS and OS X are also exposed.
Wardle created a “keychainStealer” app showing a local exploit for the vulnerability, which according to the video, can reveal passwords to websites, services, and credit card numbers when a user is logged in.
That exploit could be involved in a legitimate-looking app, or be sent by email.
“If I was an intruder or designing a macOS implant, this would be the ‘dump keychain’ plugin,” said Wardle.
He told the bug to Apple earlier this month, “but sadly the patch didn’t make it into High Sierra,” he said, which was published Monday.
“As a passionate Mac user, I’m constantly disappointed in the security of macOS,” he said. “I don’t expect that to be taken personally by anybody at Apple but every time I look at macOS the wrong way something falls over. I felt that users should be informed of the risks that are out there I’m sure advanced attackers have similar capabilities.”
“Apple marketing has done a great job persuading people that macOS is secure, and I think that this is somewhat irresponsible and leads to problems where Mac users are careless and thus more vulnerable,” he added.
In his tweet, Wardle proposed that Apple should launch a macOS bug bounty program “for welfare.” Right now, Apple only has a bug bounty for iPhones and iPads, which funds up to $200,000 for high-end secure boot firmware exploits.
Take your time to comment on this article.
