A security researcher has uncovered a vulnerability in Apple’s Mac operating system that could expose passwords stored in the software’s Keychain. The discovery comes just as Apple launched its newest version of macOS, called High Sierra, on Sept. 25.
Patrick Wardle, director of research at Synack, posted a video demonstrating the bug on Sept. 25 and reported the issue to Apple earlier this month, according to reports from ZDNet and Gizmodo which first reported the findings. The video shows how an app could be used to extract plain text passwords for services such as Facebook, Twitter, and Bank of America from a Mac’s Keychain without requiring a master password. Apple is currently investigating the proof-of-concept shown in Wardle’s video.
The Keychain is an encrypted container in Apple’s macOS software for storing passwords and account information so that the user doesn’t have to remember and manage them. Although Wardle exploited the issue in High Sierra, he noted that other versions of macOS are also vulnerable.
Both signed and unsigned apps can exploit this vulnerability, Wardle said on Twitter, meaning that even apps with Apple’s stamp of approval that are distributed through the App Store may be able to carry out an attack. But Apple said in a statement that running an app like the one in Wardle’s video would require “explicit approval” from the user. “macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval,” an Apple spokesperson said to TIME. “We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.” Apple also has the authority to revoke developer certification for signed apps at any time if program is found to be behaving maliciously.
Apple launched a bug bounty program in 2016 to encourage developers and researchers to report security issues. But a report from Motherboard indicated the program may be faltering since hackers can get more money by selling their discoveries elsewhere.
This isn’t the first time researchers have discovered security flaws in Apple’s Keychain. Back in 2015, University of Indiana computer science professor XiaoFeng Wang found that hackers could access the Keychain and interfere with a user’s passwords.