macOS Flaw Exposes Plaintext Keychain Credentials

On Monday, security researcher Patrick Wardle posted a proof-of-conceptvideo demonstrating an exploit of a vulnerability in macOS that allows a remote threat actor to extract plaintext passwords from Keychain using a signed or unsigned app. According to Wardle, the vulnerability affects all versions of macOS, including the newest version, High Sierra, also released on Monday. Wardle did not disclose the method used to exploit the vulnerability and notified Apple on September 7. The exploitation of this vulnerability through unsigned apps would require a user to download a malicious app from an unofficial source and bypass the Gatekeeper feature, which blocks unsigned apps by default and requires user consent to proceed before launching the app. However, according to Wardle, the vulnerability can also be exploited using a signed app, which requires membership in the Apple Developer Program and approval of the app through the App Review process before it is available in the Apple App Store. The NJCCIC recommends users and administrators of Apple computers ensure apps are only downloaded from the official App Store and are thoroughly researched before installation. If done within an enterprise setting, test the app in a non-production environment or on noncritical systems prior to installation. Despite this vulnerability, all Apple users are urged to update to the latest release and ensure all subsequent updates are installed as soon as possible.

AdvisoryNJCCICApple, macOS, Keychain