MacOS can be exploited to reveal keychain passwords, researcher warns

Haythem Elmir

Launched just days ago, the latest release of Apple’s operating system for Macs contains a known zero-day vulnerability that could allow attackers to exfiltrate passwords from the user’s keychain.

The flaw is also in older versions of macOS, so Mac users are are affected regardless of whether or not they upgraded their systems. Patrick Wardle, chief security researcher at Synack and founder of Objective-See, says he reported the bug to Apple in early September, but not in time for it to be addressed by macOS version 10.13, also known as High Sierra.

Essentially a password manager, the Mac keychain stores users’ passwords for their computer, servers, apps, and various websites and online services. Normally, its contents are accessible only by entering a master password. However, for research purposes, Wardle created an application that exploits an unidentified vulnerability in order to force the keychain to spill its secrets.

« On High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext password), » warned Wardle in a tweet on Monday, linking to a video of his application in action.

In an interview with SC Media, Wardle said he was withholding details of the vulnerability until Apple is able to patch it. « I will say the vulnerability is an implementation flaw in the operating system, » he added.


To read the original article:

Laisser un commentaire

Next Post

Kazakhstan Banks hit by massive DDoS attack

According to local media, several banks in the country have faced a massive DDoS(Distributed Denial of Service) attacks over the past few days. The attack traffic came from several countries at the same time.  As a result, bank websites were unavailable for a certain time. One of the affected bank […]