Operating systems from Apple are considered to be relatively safe, because rarely the world is circulating information that someone has released a virus or spyware that would massively infect computers with macOS or iOS mobile devices. However, this does not mean that the Apple software is flawless and 100% secure. This was demonstrated by the recent exploit, which easily steals passwords from the latest MacOS High Sierra.
Keychain is a very handy password manager built into Apple systems. It not only memorizes passwords for accounts of our web sites, but also Wi-Fi networks. It can also be used by applications, but access to passwords will only be granted after the user enters the password. However, today’s exploit does this without the user’s knowledge. It is also not cheap, as the passwords in the Keychain are encrypted with the AES-256 algorithm. So it would seem that they are completely safe.
Exploit was developed by Patrick Wardle, a former NSA employee, current head of research at Synack.
As evidence, he posted a video showing the exploit’s behaviour. All you have to do is install the infected application. Then, it connects to the attacker’s computer and downloads a list of Keychain passwords with one click. Everything is saved to an explicit text file and uploaded to the server. You do not even know that something suspicious happens.
Patrick Wardle informed Apple about this issue on September 7, but the patch was not in the official macOS High Sierra version. Apple commented the situation on announcement, saying that the default configuration of macOS does not allow the installation of applications from untrusted sources. However, Patrick Wardle added that the required certificate can be obtained by joining the Apple Developer Program, whose membership costs $99 per year. Of course, people have come up with advice to not install the latest update from Apple, but this is not a solution. The same hole is also present in older macOS versions. Fortunately, you can easily avoid it. Just change the password to protect the Keychain that to be different from the user’s password. Then this exploit will not work. Patrick Wardle has stated that he will not publicize his exploit code until Apple fixes the hole.
Source: Ars Technica