MacOS High Sierra zero-day shows Keychain passwords in plain text

MacOS users who are starting the upgrade to High Sierra – and  those who are using El Capitan – are vulnerable to a proof-of-concept attack that shows their online passwords in plain text, according to Synack security researcher Patrick Wardle.

He discovered that Mac Keychain, a native password management tool, can store online account usernames and passwords in plain text, allowing malicious applications direct access to the account details. However, the Keychain is generally protected by a master password.

Wardle revealed the details in a video that showed a demonstration of the attack.

"I discovered a flaw where malicious non-privileged code (or apps) could programmatically access the keychain and dump all this data, including your plain text passwords. This is not something that is supposed to happen,” he adds in a Patreon blog.

He believes malware must infect systems through malicious email attachments, fake popups or legitimate websites that have been compromised. These can come from both signed and unsigned applications, he says.

"Essentially any malicious code can perform this attack. Yes, this includes signed apps as well," he says.

Malware could theoretically steal credit card numbers or PIN numbers for bank accounts stored in the Keychain tool.

In the video, Wardle uses Netcat and ‘exfil keychain’ to mine the Keychain tool for usernames and passwords. High Sierra provides no warning signs that malicious activity is taking place.

So far, Apple does not appear to have released a patch for the vulnerability.

"This attack is local, meaning malicious adversaries have to first compromise your mac in some way. So best bet - don't get infected. This means run the latest version of macOS and don't run random apps from emails or the web. Also, this attack requires that the keychain is unlocked. By default the keychain is unlocked when the user logs in. However, you can change the keychain password (so it is not automatically unlocked during login, or (via the Keychain Access app) lock the keychain while you are not using it."

Wardle says there are also issues in High Sierra’s Secure Kernel Extension Loading (SKEL) feature. The feature is a user approval mechanism before new third party kernel extensions are loaded.

He believes that it is unlikely that attackers would use the vulnerability to directly load malicious kernel extensions. Instead, it is more likely that attackers will load ‘kexts’ before Apple is able to block them.

“Attackers can simply load such kexts, then exploit them to gain arbitrary code execution within the context of the kernel. Note that such blacklisting is often is delayed as it can badly break legitimate functionality until the user has upgraded to a non-blacklisted version of the kext,” Wardle says in a blog.

“Of course though, as attackers we have the easier job – a single implementation flaw in SKEL may allow us to fully bypass it. Apple on the other hand, has to protect against everything. So, we’re always going to win…sometimes after just 20 minutes of poking,” he continues.

He says that when Apple introduces new security features, it only complicated third-party development and users, while hackers aren’t affected at all.

“Of course if Apple’s ultimate goal is simply to continue to wrestle control of the system away from it users, under the guise of ‘security’, I’m not sure any of this even matters,” Wardle concludes.