Story image

MacOS High Sierra zero-day shows Keychain passwords in plain text

27 Sep 17

MacOS users who are starting the upgrade to High Sierra – and  those who are using El Capitan – are vulnerable to a proof-of-concept attack that shows their online passwords in plain text, according to Synack security researcher Patrick Wardle.

He discovered that Mac Keychain, a native password management tool, can store online account usernames and passwords in plain text, allowing malicious applications direct access to the account details. However, the Keychain is generally protected by a master password.

Wardle revealed the details in a video that showed a demonstration of the attack.

"I discovered a flaw where malicious non-privileged code (or apps) could programmatically access the keychain and dump all this data, including your plain text passwords. This is not something that is supposed to happen,” he adds in a Patreon blog.

He believes malware must infect systems through malicious email attachments, fake popups or legitimate websites that have been compromised. These can come from both signed and unsigned applications, he says.

"Essentially any malicious code can perform this attack. Yes, this includes signed apps as well," he says.

Malware could theoretically steal credit card numbers or PIN numbers for bank accounts stored in the Keychain tool.

In the video, Wardle uses Netcat and ‘exfil keychain’ to mine the Keychain tool for usernames and passwords. High Sierra provides no warning signs that malicious activity is taking place.

So far, Apple does not appear to have released a patch for the vulnerability.

"This attack is local, meaning malicious adversaries have to first compromise your mac in some way. So best bet - don't get infected. This means run the latest version of macOS and don't run random apps from emails or the web. Also, this attack requires that the keychain is unlocked. By default the keychain is unlocked when the user logs in. However, you can change the keychain password (so it is not automatically unlocked during login, or (via the Keychain Access app) lock the keychain while you are not using it."

Wardle says there are also issues in High Sierra’s Secure Kernel Extension Loading (SKEL) feature. The feature is a user approval mechanism before new third party kernel extensions are loaded.

He believes that it is unlikely that attackers would use the vulnerability to directly load malicious kernel extensions. Instead, it is more likely that attackers will load ‘kexts’ before Apple is able to block them.

“Attackers can simply load such kexts, then exploit them to gain arbitrary code execution within the context of the kernel. Note that such blacklisting is often is delayed as it can badly break legitimate functionality until the user has upgraded to a non-blacklisted version of the kext,” Wardle says in a blog.

“Of course though, as attackers we have the easier job – a single implementation flaw in SKEL may allow us to fully bypass it. Apple on the other hand, has to protect against everything. So, we’re always going to win…sometimes after just 20 minutes of poking,” he continues.

He says that when Apple introduces new security features, it only complicated third-party development and users, while hackers aren’t affected at all.

“Of course if Apple’s ultimate goal is simply to continue to wrestle control of the system away from it users, under the guise of ‘security’, I’m not sure any of this even matters,” Wardle concludes.

How blockchain will impact NZ’s economy
Distributed ledgers and blockchain are anticipated to provide a positive uplift to New Zealand’s economy.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Human value must be put back in marketing - report
“Digital is now so widely adopted that its novelty has worn off. In their attempt to declutter, people are being more selective about which products and services they incorporate into their daily lives."
Wine firm uses AR to tell its story right on the bottle
A Central Otago wine company is using augmented reality (AR) and a ‘digital first’ strategy to change the way it builds its brand and engages with customers.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
Protecting organisations against internal fraud
Most companies tend to take a basic approach that focuses on numbers and compliance, without much room for grey areas or negotiation.
Telesmart to deliver Cloud Calling for Microsoft Teams
The integration will allow Telesmart’s Cloud Calling for Microsoft Teams to natively enable external voice connectivity from within Teams collaborative workflow environment.
Jade Software & Ambit take chatbots to next level of AI
“Conversation Agents present a huge opportunity to increase customer and employee engagement in a cost-effective manner."