Apple recently rolled out their latest operating system, a new version of macOS named High Sierra 10.13. Hours after the OS was released, an ex-NSA hacker, Patrick Wardle, publicly disclosed details about a critical vulnerability affecting the High Sierra and many early versions of macOS.
Wardle, now head of research at security firm Synack found a critical zero-day vulnerability in the operating system that allows any installed application to steal usernames and plaintext passwords of online accounts stored in the Mac Keychain. The Mac Keychain is a built-in password management system helping Apple users securely store a variety of information, and is meant to only be accessed with a user-defined master password. Wardle illustrates the exploit in a video that shows how a malicious installed application allowed an attacker to remotely steal all passwords stored in the keychain without notifying the user of their attack.
Apple released a statement encouraging users to only download software from trusted sources, and to always pay attention to security dialogs presented by macOS. To learn more about the vulnerability, visit here.
