A security researcher has disclosed a password exfiltration zero-day that affects macOS version 10.13 (aka “High Sierra”) and earlier versions of the operating system.
On 25 September, Synack’s director of research Patrick Wardle tweeted out a video of the zero day in action on a Mac virtual machine running High Sierra.
In the video, an app installs while a theoretical attacker running the Netcat network utility waits on a remote server.
The hypothetical malicious hacker follows up successful installation of the app by clicking an “exfil keychain” button. In doing so, they execute a script that exploits a zero-day vulnerability affecting the iCloud Keychain, an Apple feature which stores things like passwords and credit card credentials. The script subsequently steals everything stored in Keychain and uploads it to the server.
Wardle exploited the vulnerability by developing a third-party app that a user could theoretically download off a third-party website. In response to that attack vector, the folks at Apple would like to remind users to follow best security practices. As quoted in a statement provided to Ars Technica:
“macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents.”
A good reminder. But not enough for Apple to get off scot-free.
On the contrary, Wardle reported this zero-day vulnerability to Apple in early September, but the tech giant failed to patch it prior to High Sierra’s public release on 25 September. This failure to protect users has left the researcher with a bitter taste in his mouth. As quoted by ZDNet:
“As a passionate Mac user, I’m continually disappointed in the security of macOS. I don’t mean that to be taken personally by anybody at Apple – but every time I look at macOS the wrong way something falls over. I felt that users should be aware of the risks that are out there I’m sure sophisticated attackers have similar capabilities.”
“Apple marketing has done a great job convincing people that macOS is secure, and I think that this is rather irresponsible and leads to issues where Mac users are overconfident and thus more vulnerable.”
Going forward, Apple would be wise to follow Wardle’s advice and expand its current iOS-exclusive bug bounty program to also cover macOS.
We can also only hope that publicity surrounding Wardle’s exploit pressures Apple to release a patch for this bug and for another zero-day flaw disclosed by Wardle in early September. And soon!
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “Keychain-busting zero-day disclosed hours before release of macOS High Sierra”
I used to think Apple was losing its way…forgetting its roots. But I don't think that any more. Now I know it for certain.