macOS High Sierra 10.13 was released to the public on Monday, September 25. It is a free update for all compatible Macs and is an upgrade to macOS 10.12 Sierra,
But within a matter of days, a zero-day (aka never seen before) has come to light.
Passwords are stored in the Mac's Keychain, which typically requires a master login password to access the vault.
But a former NSA contractor has shown that the vulnerability allows an attacker to grab and steal every password in plain-text using an unsigned app downloaded from the internet, without needing that password.
The exploit works on High Sierra , but said that older versions of macOS and OS X are also vulnerable.
Patrick Wardle, a former NSA hacker who now serves as chief security researcher at Synack, posted a video of the hack -- a password exfiltration exploit -- in action.
Steal y0 (macOS) Keychain from patrick wardle on Vimeo.
But within a matter of days, a zero-day (aka never seen before) has come to light.
Passwords are stored in the Mac's Keychain, which typically requires a master login password to access the vault.
But a former NSA contractor has shown that the vulnerability allows an attacker to grab and steal every password in plain-text using an unsigned app downloaded from the internet, without needing that password.
The exploit works on High Sierra , but said that older versions of macOS and OS X are also vulnerable.
Patrick Wardle, a former NSA hacker who now serves as chief security researcher at Synack, posted a video of the hack -- a password exfiltration exploit -- in action.
Steal y0 (macOS) Keychain from patrick wardle on Vimeo.
No comments: