Monday, September 25, Apple released a macOS update High Sierra. The operating system has received a number of security improvements, but not without nasty bugs.
According to researcher Patrick Wardle of Synack, macOS High Sierra there is a vulnerability that allows to access information stored in the keychain without the password of the administrator.
The keychain allows you to securely store passwords, credit card data and other important information. Thus to access the data you need to enter the administrator password. According to Wardle, after upgrading to macOS High Sierra, data from the keychain can be obtained without a password.
“Programs running in the system can access data in the keychain without any interaction from the user, — said the researcher. — The system has a vulnerability that allows local code to access the keys to bypass security measures”.
In the video Wordl demonstrated the presence of gaps with a specially created app called keychainStealer. Running the program, he was able to obtain passwords to access Twitter, Facebook and an account at Bank of America.
According to the expert, he found the vulnerability on September 7 and immediately reported it to Apple. Wardle said he did not intend to release the exploit until Apple resolve the vulnerability.
The expert noted that he created his own program, based on the fact that users often use the same password to log into the system and lock the keychain. If the protection of personal data using another password, the attack will fail.
Other users said the Apple employee, who said that for these programs requires the permission of the user.
“macOS is designed to be safe. Gatekeeper warns users that they are not installed apps from unverified sources. Moreover, the system does not run suspicious programs without permission. Therefore, we recommend users to download software only from trusted sources like the Mac App Store, and to pay close attention to the dialog boxes that appear in MacOS”.