"on High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext password)," warned security researcher Patrick Wardle in a tweet on Monday.
"on High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext password)," warned security researcher Patrick Wardle in a tweet on Monday.

Launched just two days ago, the latest release of Apple's operating system for Macs contains a known zero-day vulnerability that could allow attackers to exfiltrate passwords from the user's keychain.

The flaw is also in older versions of macOS, so Mac users are are affected regardless of whether or not they upgraded their systems. Patrick Wardle, chief security researcher at Synack and founder of Objective-See, says he reported the bug to Apple in early September, but not in time for it to be addressed by macOS version 10.13, also known as High Sierra.

Essentially a password manager, the Mac keychain stores users' passwords for their computer, servers, apps, and various websites and online services. Normally, its contents are accessible only by entering a master password. However, for research purposes, Wardle created an application that exploits an unidentified vulnerability in order to force the keychain to spill its secrets.

"On High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext password)," warned Wardle in a tweet on Monday, linking to a video of his application in action.

In an interview with SC Media, Wardle said he was withholding details of the vulnerability until Apple is able to patch it. "I will say the vulnerability is an implementation flaw in the operating system," he added.

Continue Reading Below

Wardle also explained that the exploit only works if the computer is first compromised with code, perhaps by tricking a user into opening a malicious attachment or visiting a sketchy drive-by download website, or even by infecting a machine in a supply-chain attack, similar to how attackers this year sabotaged a HandBrake server to distribute the Mac-based malware Proton RAT.

But once the machine is infected, Wardle's keychain stealer app, or a similar exploit perhaps built into into the malware itself, would be even more effective at stealing a user's passwords than relying on an old-fashioned keylogger, said Wardle, a former NSA staffer.

Wardle said he does not fault Apple for not patching the vulnerability in time for the launch of High Sierra. The researcher noted that by the time he had contacted Apple, the company had already begun shipping new computers with macOS 10.13 and did not want to distribute machines with two different OS versions.

But Wardle does think it's about time that Apple institutes a bug bounty program for macOS, much as it already has for iOS.

"There're shipping new versions of their operating system with security flaws, which to me is kind of disconcerting," said Wardle. "If apple did have a bug bounty program [for macOS], it would encourage more security researchers to look for more security bugs which would overall increase the security of the system..."

Considering Apple's stated commitment to improving security, Wardle said he "wouldn't be surprised" if Apple ultimately does expand its bug bounty program to include macOS.

SC Media has reached out to Apple for comment.