Skip to main content
  1. Home
  2. Computing
  3. News

A High Sierra bug in the MacOS update could make it easy to steal passwords

Jon Martindale
By

how to download MacOS High Sierra
A security researcher as discovered a MacOS High Sierra bug that makes it easy for hackers to steal passwords and other hidden login credentials from a user’s system. The bug appears to give hackers the ability to access Keychain data in plaintext without knowing the master password.

The purpose of the Keychain is to hold on to various login credentials and other secretive information and to keep it hidden from prying eyes. Like third-party password managers, you’re only supposed to be able to access that information with a master password. With the bug in High Sierra though, it appears that unsigned apps are able to circumvent that safeguard entirely.

Related Videos

Discovered by ex-NSA analyst and security researcher Patrick Wardle (thanks MacRumors), the bug makes it possible to dump the contents of Keychain’s password storage, accessing everything from banking passwords, to your Facebook login in plaintext.

Related
Steal y0 (macOS) Keychain

Perhaps even more concerning is that this bug may have existed for some time. Although it has been proven to work following the High Sierra update, it’s possible that it could also work with older versions of MacOS.

The one silver lining to this news is that, as with many attacks from nefarious individuals, a High Sierra user would need to download a malicious application from somewhere other than the App Store for the exploit to work. That’s something that Apple and most security professionals would heavily discourage, though it does sometimes happen.

To prove that the exploit exists, Wardle crafted a malicious app called “KeychainStealer,” which was able to reveal his phony Bank of America, Twitter, and Facebook login details with little effort. Although he hasn’t revealed the exact method of attack, it stands to reason that if he can figure it out, others will be able to as well, especially now that they know it’s possible.

For that reason some may not like that Wardle has been transparent with his concerns, though this story stands a much greater chance of forcing Apple to fix the bug than if he’d kept it to himself.

Still, it’s possible that this announcement isn’t entirely altruistic. Wardle does operate a Patreon to help support the creation of security software under his Objective-See brand, so this announcement should drive some interest in it.

Editors' Recommendations

Topics
Bing Image Creator brings DALL-E AI-generated images to your browser
Bing Image Creator being used in the Edge sidebar.

Microsoft isn't slowing down its momentum in generative AI. Just a month since it launched the ChatGPT-based Bing Chat, the company is now introducing Bing Image Creator, which brings text-to-image generation right to your browser.

Bing Image Creator lets you create images from text using DALL-E, which is OpenAI's own text-to-image AI model. Microsoft says it's using "an advanced" version of DALL-E, though the company didn't provide specifics about how it was different than the current DALL-E 2 model. This isn't dissimilar, though, to how Bing Chat was announced, which had been running on GPT-4 before the new model had even been announced.

Read more
The Windows 11 taskbar is getting an important new update
windows 11 taskbar third party app pinning

Microsoft is working on new experiences for Windows that will allow developers to enable pinning for third-party applications, as well as enable pinning to the Taskbar.

Microsoft recently announced the details of these upcoming functions in a blog post. This is the brand's attempt to universalize its pinning process across all apps used on Windows. In practice, it will be similar to how pinning works on the Edge browser, with the Windows 11 users being notified by the Action Center about a request for pinning to the Taskbar by the app in question.

Read more
GPT-4: how to use, new features, availability, and more
A laptop opened to the ChatGPT website.

ChatGPT-4 has officially been announced, confirming the longtime rumors around its improvements to the already incredibly impressive language skills of OpenAI's ChatGPT.

OpenAI calls it the company's "most advanced system, producing safer and more useful responses." Here's everything we know about it so far.
Availability

Read more