Apple's latest and greatest operating system, macOS High Sierra, hit the digital airwaves on September 25 — promising a free upgrade to Macs around the world with at least 2GB of memory. And while the OS is chock-full of exciting new features, it's the vulnerabilities that have at least one security researcher excited.
That's because it turns out that, with just a little bit of effort, hackers can steal all your passwords off a computer running High Sierra. Which, frankly, is not a good look for Apple.
According to security researcher Patrick Wardle, he was able to run an unsigned app on the new OS that could steal plaintext passwords. He posted evidence of his proof of concept to Twitter, and included a link to a video demonstrating an app he dubbed "keychainStealer."
"I discovered a flaw where malicious non-privileged code (or apps) could programmatically access the keychain and dump all this data .... including your plain text passwords," he explained on Patreon. "This is not something that is supposed to happen!"
Importantly, he noted that while he has only tested High Sierra, it appears that El Capitan is vulnerable as well. But the news isn't all bad, as Wardle emphasized that for this to work your computer would first have to be infected with malware.
"As this is a local attack, this means a hacker or piece of malware must firstinfect your your Mac," Wardle reassured concerned readers. "Typical ways to accomplish this include emails (with malicious attachments), fake web popups ("your Flash player needs updating"), or sometimes legitimate application websites are hacked (e.g. Transmission, Handbrake, etc)."
Apple, for its part, isn't that impressed with the exploit — although a spokesperson confirmed they are looking into it.
"macOS is designed to be secure by default, and [Apple security feature] Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit