Security

Mac High Sierra hijinks continue: Nasty apps can pull your passwords

Apple still hasn't been able to seal up keychain access hole for unsigned applications


A security shortcoming in earlier versions of OS X has made its way into macOS High Sierra despite an expert's best efforts to highlight the flaw.

Patrick Wardle, of infosec biz Synack, found that unsigned, and therefore untrustworthy, applications running on High Sierra, aka macOS 10.13, were able to quietly access sensitive information – including stored passwords and keys – without any notification to the user. Normally, apps, even signed trusted ones, trigger a prompt to appear on screen when touching the operating system's Keychain database of saved passphrases and other secrets.

In a short video, Wardle showed how his proof-of-concept unsigned app was able to lift the highly personal information on an updated High Sierra Mac. Wardle said he provided Apple the software and details of the flaw earlier this month, but a fix could not be deployed in time for this week's official High Sierra release. Wardle said a patch is likely in the works.

Still, the researcher reckoned the app should serve as a note of caution to anyone who regularly installs and runs applications downloaded from the internet on their Mac. Even legitimate apps, he noted, could possibly be compromised to exploit the vulnerability.

"Obviously, random apps should not be able to access the entire keychain and dump things like plaintext passwords," Wardle explained this week. "In fact, even signed Apple utilities (ie, /usr/bin/security) that are designed to legitimately access the keychain explicitly require user approval; or most authenticate (with the user's password) before they are allowed to retrieve sensitive keychain data."

This is not the first time the Synack researcher has poked holes in Apple's handling of software permissions. In 2015, Wardle was credited with discovering weaknesses that would let an attacker circumvent the security protections in Apple's app checker, the OS X Gatekeeper.

This is also not the first major security hole to be uncovered in the day-old High Sierra macOS.

Last week, as the OS was nearing its formal release, Wardle revealed that a flaw in the Security Kernel Extension Loading (SKEL) security tool allowed its protections to be easily bypassed, potentially leaving users vulnerable to low-level infections such as rootkits.

It goes without saying that macOS users should avoid running unsigned applications, and disable their execution from the system control panel. Essentially, the take-home here is: don't run unsigned apps. And if you or your friends or family really must do so, be mindful that even untrusted software can exfiltrate sensitive information that applications typically shouldn't have access to without your permission. ®

Send us news
18 Comments

GoFetch security exploit can't be disabled on M1 and M2 Apple chips

For now, cryptographic work should be run on slower Icestorm cores

EU users can't update 3rd party iOS apps if abroad too long

Remember how Apple told you security was its paramount concern?

Uncle Sam, 15 US states launch antitrust war on Apple

Lawsuit alleges iGiant rips off fans, stifles dev innovation, makes it tough to dump iOS for rivals

Meta, Microsoft, X, Match pledge selves to Epic battle against Apple App Store

You have my sword ... and my bow ... and my axe!

Oh look, cracking down on Big Tech works. Brave, Firefox, Vivaldi surge on iOS

Thanks to Europe forcing Apple to offer a browser choice screen. Now, about ditching WebKit ...

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

Hardware-level Apple Silicon vulnerability can leak cryptographic keys

Short of redesigning CPUs, the fix will seriously degrade performance

Sorry, Siri: Apple may be eyeing Google Gemini for future iPhones

Famous for keeping everything in-house, Apple may be carving AI-shaped door in its garden wall

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

No App Store needed: Apple caves, will allow sideloading in EU

Think this'll help you escape the fees? Nope – Apple still wants a cut for letting devs install things on user devices

Apple iPhone AI to be powered by Baidu in China, maybe

Of course it's called ERNIE seeing as Google has BERT

Apple to settle class action for $490 million after Tim overcooked China outlook

CEO's optimism was not reflected in the supply chain
BREAKING NEWS: FTX crypto-crook Sam Bankman-Fried gets 25 years in prison