Skip to main content
  1. Home
  2. Computing
  3. Apple
  4. News

A High Sierra bug in the MacOS update could make it easy to steal passwords

By
Add as a preferred source on Google

A security researcher as discovered a MacOS High Sierra bug that makes it easy for hackers to steal passwords and other hidden login credentials from a user’s system. The bug appears to give hackers the ability to access Keychain data in plaintext without knowing the master password.

The purpose of the Keychain is to hold on to various login credentials and other secretive information and to keep it hidden from prying eyes. Like third-party password managers, you’re only supposed to be able to access that information with a master password. With the bug in High Sierra though, it appears that unsigned apps are able to circumvent that safeguard entirely.

Recommended Videos

Discovered by ex-NSA analyst and security researcher Patrick Wardle (thanks MacRumors), the bug makes it possible to dump the contents of Keychain’s password storage, accessing everything from banking passwords, to your Facebook login in plaintext.

Steal y0 (macOS) Keychain

Perhaps even more concerning is that this bug may have existed for some time. Although it has been proven to work following the High Sierra update, it’s possible that it could also work with older versions of MacOS.

The one silver lining to this news is that, as with many attacks from nefarious individuals, a High Sierra user would need to download a malicious application from somewhere other than the App Store for the exploit to work. That’s something that Apple and most security professionals would heavily discourage, though it does sometimes happen.

To prove that the exploit exists, Wardle crafted a malicious app called “KeychainStealer,” which was able to reveal his phony Bank of America, Twitter, and Facebook login details with little effort. Although he hasn’t revealed the exact method of attack, it stands to reason that if he can figure it out, others will be able to as well, especially now that they know it’s possible.

For that reason some may not like that Wardle has been transparent with his concerns, though this story stands a much greater chance of forcing Apple to fix the bug than if he’d kept it to himself.

Still, it’s possible that this announcement isn’t entirely altruistic. Wardle does operate a Patreon to help support the creation of security software under his Objective-See brand, so this announcement should drive some interest in it.

Jon Martindale
Jon Martindale
Former Evergreen writer
Jon Martindale covers how to guides, best-of lists, and explainers to help everyone understand the hottest new hardware and…
Topics
Gemini will now take notes for you in Google Meet for you, if you the minimum $20 AI tax
Yet another Google subscription just dropped for Gemini
Google Meet Take Notes for me Gemini

Google has just released a useful Gemini feature, which you can try if you are a paying member of course. The company is now bringing "Take notes for me" for Gemini, which will be available in Google Meet for Google AI Pro and Google AI Ultra subscribers, along with eligible Workspace business customers.

For personal users, the feature starts with Google AI Pro, which costs $19.99 per month in the US. In other words, Gemini can now take your Google Meet notes, provided you pay the minimum AI tax.

Read more
After iPad Pro and MacBook Pro, the iMac could be the next in line for an OLED screen upgrade
iMac with M4

The iPhone got an OLED panel in 2017, while the iPad Pro followed in 2024. Even the MacBook Pro is expected to follow later this year or early next year. But what about the iMac?

According to TrendForce, the iMac could get an OLED upgrade. There's no timeline yet, but the direction is clear. Apple wants to replace its current display technologies with OLED, raising the bar for color quality for both regular users and professionals.

Read more
This $1,299 gaming PC wants to be a Steam Machine without waiting for Valve
Valve’s Steam Machine dream is already real in MetaPC's new prebuilt
MetaPC's Steamroller is a new Steam Machine rival

Valve’s Steam Machine may be the face of SteamOS, but the platform isn't exclusive to it. A big announcement after Steam Machine's unveiling was that SteamOS would be arriving on systems outside of the new hybrid console. Now, MetaPCs is one of the first to take advantage of this by opening the preorders for the Steamroller, a new prebuilt gaming desktop that ships with SteamOS installed by default.

Though Steamroller is not trying to be a tiny console-like cube. It is a normal desktop PC with standard parts and a real upgrade path. The system costs $1,299 and is listed with a preorder date of July 3, 2026.

Read more