9to5Mac - Tuesday, September 26, 2017 at 5:07 AM Major macOS (incl. High Sierra) Keychain password extraction vulnerability to be addressed by Apple in update [Video] A macOS vulnerability discovered by security researcher Patrick Wardle allows any app - signed or unsigned - to extract plain text passwords from Keychain. Wardle demonstrated the exploit with a proof of concept app, seen in the video below. The vulnerability is a huge one, because Keychain data is secured by 256-bit AES encryption, which should make it virtually uncrackable - and because the bug affects all versions of macOS, including High Sierra .
What is supposed to happen is that only the app authorized to access a particular password can decrypt it. But Wardle demonstrated his app was able to extract and decrypt passwords for Twitter, Facebook, and Bank of America. The app is able to do this without any user intervention. The demonstration video shows it running in an unsigned app, which are blocked by default in macOS, but Wardle says this was only to demonstrate how low the security bar is set. It works equally well in signed apps. As a responsible researcher, Wardle reported the vulnerability to Apple on September 7 and will not disclose the method used until Apple has patched it. He told Gizmodo that the company is likely to do so soon. He also says that this is not a reason to hold off on upgrading to High Sierra: it's not a newly-introduced bug. I think everyone should update. There's a lot of good built-in security features. This attack works on older versions of macOS as well. There's no reason for people not to upgrade. Check out the video demo below. Patrick Wardle is a former NSA staffer who last year demonstrated Mac malware that could tap into live webcam and microphone feeds. He also discovered Mac malware in the wild that allowed access to webcam photos, screenshots and key-logging, and a separate exploit that would let someone with local access to a Mac escalate their privileges to root. [embedded content] Original Article At: https://9to5mac.com/2017/09/26/macos-keychain-vulnerability/ -- The following information is important for all members of the Mac Visionaries list. If you have any questions or concerns about the running of this list, or if you feel that a member's post is inappropriate, please contact the owners or moderators directly rather than posting on the list itself. Your Mac Visionaries list moderator is Mark Taylor. You can reach mark at: macvisionaries+modera...@googlegroups.com and your owner is Cara Quinn - you can reach Cara at caraqu...@caraquinn.com The archives for this list can be searched at: http://www.mail-archive.com/macvisionaries@googlegroups.com/ --- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to macvisionaries+unsubscr...@googlegroups.com. To post to this group, send email to macvisionaries@googlegroups.com. Visit this group at https://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
