Report: Security hole in macOS Keychain puts passwords at risk
Security

Report: Security hole in macOS Keychain puts passwords at risk

Apple released macOS High Sierra on Monday, so it should be a nice way to spotlight the Mac this week after last week’s iOS 11 and iPhone 8 releases. But a report by a security researcher at Synack puts a bit of a damper on the High Sierra release.

Editor's note: This article was updated at 3:37 p.m. Pacific with a statement from Apple.

Patrick Wardle, Synack’s head of research, posted a video on Monday that shows how code he wrote can be used to get passwords from macOS’s Keychain. Keychain is the password manger built into macOS, and it usually requires a master password to access it. But Wardle’s code was able to access Keychain and collect passwords. The video below is a demonstration posted by Wardle.

Steal y0 (macOS) Keychain from patrick wardle on Vimeo.

Wardle has not publicized the exploit he used, so it’s probably not being put to use by nefarious people or groups. The code Wardle used was executed through an unsigned app he created, and unsigned apps trigger macOS's Gatekeeper. Gatekeeper prevents the app from opening automatically after downloading, and users can't open an unsigned app by double-clicking it; you have to right-click the app and select Open. Even then, Gatekeeper also displays warnings about the unsigned app.

Apple has released a statement on the issue:

“macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.”

As a matter of standard practice, do not download or install software that raises your suspicion. Stick with trusted sources. If you haven’t upgraded to High Sierra, you might consider holding off until Apple releases an update.

IDG Insider

PREVIOUS ARTICLE

«Sigfox shows 20-cent IoT wireless module

NEXT ARTICLE

Best Buy has discounted the 10.5-inch iPad Pro (64GB) by $100»
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

Add Your Comment

Recommended for You

silhouette

Everything you need to know about… Tech Careers

IDG Connect tackles the tech stories that matter to you

kathryn-cave

Blockchain For Dummies: What you really need to know

Kathryn Cave looks at the big trends in global tech

martin-veitch-thumbnail

What we know and don’t know about digital transformation

Martin Veitch's inside track on today’s tech trends

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Should companies have Bitcoins on hand in preparation for a Ransomware attack?