Apple Acknowledges Password Security Flaw In This Week's macOS High Sierra Release
It used to be that Macs were thought to be nearly immune to malware, viruses, and serious security issues. That certainly isn't the case with modern Macs because as the user base has grown, the amount of malware and viruses targeting the platform has also grown. Back in June, we talked about malware-as-a-service attacks targeting Macs. This week Apple launched a new and free update to the macOS called High Sierra. Only a few days after the release of that software, Apple has acknowledged a security flaw in the update.
Reports indicate that programs not approved by Apple might be able to glean passwords from the Mac keychain when you ask the software to remember a password for you. As of now, there is no evidence suggesting that any software has exploited the flaw to steal passwords. Nevertheless the flaw certainly throws some shade on the launch of High Sierra.
If you are downloading all your software via the Mac App Store, you shouldn't have to worry about the security flaw being exploited reports The Washington Post. However, if you frequently download software for third-party locations, you should be concerned. Apple issued a statement that said, "We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents."
The initial warning of the security flaw came from security expert Patrick Wardle on Monday. Wardle offered up a video that shows how the security flaw can be exploited to steal passwords, which you can view below. The hack he devised was able to steal Facebook, Twitter, and Bank of America passwords. Wardle also asks for a macOS bug bounty for charity in the launch process for his app that exploits the flaw called keychainStealer.
Wardle talked to Forbes about the flaw stating, "Without root privileges, if the user is logged in, I can dump and exfiltrate the keychain, including plaintext passwords. Normally you are not supposed to be able do that programmatically." Wardle won't give up the code for this exploit and says that he expects Apple to patch the issue eventually.
Apple normally does not usually speak on security issues until an investigation is over and a patch is ready. Apple's security updates support page states, "For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available."