Pixel Envy

Written by Nick Heer.

MacOS Reportedly Vulnerable to Keychain Exfiltration Bug

Patrick Wardle of penetration testing firm Synack posted a short video of this security hole in action. In short, it appears that the only requirement is for the user to download and execute an unsigned application; after that, the user’s Keychain is dumped in plain text.

Thomas Fox-Brewster of Forbes spoke with Wardle about the vulnerability:

“Most attacks we see today involve social engineering and seem to be successful targeting Mac users,” he added. “I’m not going to say the [keychain] exploit is elegant – but it does the job, doesn’t require root and is 100% successful.”

That’s a hell of a combination.

This is being described in several places as a High Sierra-specific problem. It isn’t; Wardle has clarified on Twitter that other versions of MacOS are also vulnerable.

Update: Wardle has also stated on Twitter that signed apps could potentially be vehicles for distributing this malware, too — it’s not difficult to imagine a circumstance similar to last year’s incident when ransomware was briefly attached to copies of Transmission.

Roman Loyola of Macworld got a statement from Apple on this:

“macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.”

Users are inundated with dialog boxes and security warnings — surely Apple knows that very few people actually read them.1 And, again, I stress that this malware could be attached to a totally legitimate signed app. Apple could invalidate the developer’s certificate if something like this were to be discovered in the wild, but that doesn’t mean that the security issue doesn’t exist. They have to be working on a fix for this, too, right?

  1. The only effective way I’ve seen of presenting security warnings is the one that Safari displays when you try to visit an address marked as a possible phishing domain. It requires the user to click the “Show Details” button and actually read the text to find the link to visit the site. ↩︎