Patrick Wardle, a white-hat hacker who formerly worked for the National Security Agency, posted a video of how the exploit can steal plaintext passwords that are stored in Mac keychain – an app that stores passwords on Mac operating systems. In a statement to Ars Technica, he explains that Apple’s security measures have long fallen short of the mark.
“As a passionate Mac user, I’m continually disappointed in the security on macOS,” said Wardle. “I don’t mean that to be taken personally by anybody at Apple – but every time I look at macOS the wrong way, something falls over. I felt that users should be aware of the risks that are out there.”
Hacking users’ passwords
In his demonstration, Wardle shows how using a “keychainStealer” app can expose users’ passwords for several different accounts, including Facebook, Twitter, and even Bank of America.
In a statement, Apple said that macOS is “designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in [Wardle’s video], and prevents them from launching the app without explicit approval [from the user].”
It’s true that Gatekeeper keeps Mac users from installing apps that aren’t digitally signed, such as the one that Wardle used in his video. However, it should be noted that a hacker can easily digitally sign an app by applying for membership in the Apple Developer Program, which costs $99 per year. With those credentials, hackers could then use an app similar to Wardle’s to execute the same actions.
Additionally, Wardle says that he reported the vulnerability to Apple back in August so that the company could fix it before rolling High Sierra out to the public. Unfortunately, it seems that Apple decided to release the new OS without fixing the issue first.
Wardle points out that the vulnerability may not be exclusive to High Sierra, and that earlier versions of macOS could be similarly affected.