Report: Security hole in macOS Keychain puts passwords at risk

Apple released macOS High Sierra on Monday, so it should be a nice way to spotlight the Mac this week after last week’s iOS 11 and iPhone 8 releases. But a report by a security researcher at Synack puts a bit of a damper on the High Sierra release.

Editor’s note: This article was updated at 3:37 p.m. Pacific with a statement from Apple.

Patrick Wardle, Synack’s head of research, posted a video on Monday that shows how code he wrote can be used to get passwords from macOS’s Keychain. Keychain is the password manger built into macOS, and it usually requires a master password to access it. But Wardle’s code was able to access Keychain and collect passwords. The video below is a demonstration posted by Wardle.

Steal y0 (macOS) Keychain from patrick wardle on Vimeo.

Wardle has not publicized the exploit he used, so it’s probably not being put to use by nefarious people or groups. The code Wardle used was executed through an unsigned app he created, and unsigned apps trigger macOS’s Gatekeeper. Gatekeeper prevents the app from opening automatically after downloading, and users can’t open an unsigned app by double-clicking it; you have to right-click the app and select Open. Even then, Gatekeeper also displays warnings about the unsigned app.

Apple has released a statement on the issue:

“macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.”

As a matter of standard practice, do not download or install software that raises your suspicion. Stick with trusted sources. If you haven’t upgraded to High Sierra, you might consider holding off until Apple releases an update.