A security researcher spoiled Apple’s release of macOS High Sierra today when he published a video showing a zero day exploit of the built-in password management system, Keychain. macOS uses the Keychain system to securely store encrypted passwords, cryptographic keys, and SSL certificates. Normally, applications should not be able to programmatically retrieve plaintext passwords from Keychain. In Patrick Wardle’s exploit video, he shows an unsigned application (an application with no cryptographic signature to verify the author) dump passwords in plaintext from Keychain and then exfiltrate them out to a remote server.
To Apple’s credit, macOS blocks users from directly executing unsigned applications downloaded from the internet. To launch an unsigned application, the user must use Finder to locate the app, right click, and manually chose “Open”. These added steps ensure that untrusted applications are not unknowingly executed on the system.
Wardle’s exploit video shows that the victim must still manually execute the malicious application. The prevalence of successful social engineering attacks like phishing though, proves that attackers can easily trick victims into performing additional actions when required. In a comment to Forbes, Wardle admits “I’m not going to say the exploit is elegant – but it does the job, doesn’t require root and is 100% successful.”
Wardle chose to not release any exploit code for the attack and Apple should be quick to patch the issue with an OS update. Until a patch is available, macOS High Sierra adopters should be extra careful around unsigned applications. Furthermore, users should always avoid downloading applications from unofficial sources. –Marc Laliberte