keychainStealer is Real, but Shouldn’t Stop You from Upgrading to macOS High Sierra

1 minute read
| Analysis

A particularly insidious Mac security threat was revealed just as macOS High Sierra was released on Monday prompting warnings to avoid Apple’s new operating system. The security flaw, called keychainStealer, could expose your Keychain passwords, but it isn’t limited to High Sierra, and isn’t a reason to not upgrade.

Synack security researcher Patrick Wardle demonstrated the flaw showing how a potential attacker could gain access to your stored passwords. His demonstration involved installing an unsigned app on a Mac that dumps the content of your Keychain database to a plain text file.

Wardle told Forbes,

Without root priveleges, if the user is logged in, I can dump and exfiltrate the keychain, including plaintext passwords. Normally you are not supposed to be able do that programmatically.

Gizmodo reports Wardle alerted Apple to the threat on September 7th, and a patch is likely already in the works.

While the threat is real, it isn’t one most Mac users are likely to encounter. First, it isn’t a threat that’s in the wild—at least not yet. Second, it requires users to install an app that should trigger a GateKeeper alert because it isn’t signed with a valid developer certificate.

Apple addressed that in a statement to Macworld saying,

macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.

Finally, keychainStealer assumes the user is logged into their Mac and are using the same password for their user account and Keychain database. If your Keychain password is different from your Mac login password, the hack doesn’t work.

keychainStealer security flaw in macOS High Sierra

keychainStealer may be bad, but it isn’t any reason to skip macOS High Sierra

If you aren’t upgrading to macOS High Sierra specifically because of keychainStealer you aren’t doing anything to protect yourself because the same threat exists in earlier macOS versions, too. Plus, macOS High Sierra has other security improvements you get until you upgrade.

The real reason to wait to install macOS High Sierra is because critical apps you need to do your job aren’t compatible yet, or you’re in the middle of a client or work project.

3 Comments Add a comment

  1. macjeffff

    So if I download an unsigned, unauthorized app, and bypass the warning, I can expose myself to danger. Definitely an Apple bug!

  2. boltar

    Valid signed apps also have access to all your Keychain passwords via this bug – so Gatekeeper won’t necessarily flag a warning. That would require a “trusted developer’s” app packing malware, but that has happened. So don’t get too comfortable till Apple patches this bug.

  3. BennyLava

    If your keychain password is different from your login password, your Mac will repeatedly ask you to type in your keychain password, whenever an app need it. Changing the keychain password is therefore not a desirable long-term solution. Apple needs to fix this vulnerability.

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account