Ex-NSA hacker claims to reveal zero-day flaw in macOS High Sierra

26 Sep 2017

Image: Apple

Vulnerability allegedly lets an attacker steal the contents of a Keychain without needing a password.

A former NSA hacker who now works as a chief security researcher claims to have revealed a password exfiltration exploit (or vulnerability) in macOS High Sierra.

The revelation by Patrick Wardle from Synack came just as Apple began rolling out the latest version of its desktop and notebook operating system this week.

According to ZDNet, the vulnerability demonstrated by Wardle indicates that is possible to steal every password in plain text using an app downloaded from the internet without needing the Mac’s Keychain master login.

The flaw also affects older versions of macOS and OS X.

Wardle’s ‘keychainStealer’ app could be included in a legitimate app or sent by email.

The point Wardle is trying to prove is that unsigned apps downloaded from the internet could steal Keychain logins in plain text. The upshot is that the vulnerability could be leveraged to steal logins for social network and banking websites.

Wardle has urged Apple to launch a macOS bug bounty programme for charity. Currently, Apple has a bug bounty for iPhones and iPads, which pays up to $200,000.

Will High Sierra bring Apple security to an even higher plain?

Apple prides itself on the security of Mac devices compared to the virus-ridden PC world, and it is no slouch on this matter. Although it hasn’t yet commented on Wardle’s claims, it will no doubt take them seriously.

Early studies of the new macOS High Sierra reveal that the OS that has some security tricks of its own. For example, a new routine in High Sierra runs automatic weekly checks on the firmware to warn users of modifications that could jeopardise the security of the machine.

The routine, first spotted by The Eclectic Light Company, compares the computer’s ID and installed firmware against Apple’s database of known firmware revisions.

The new OS is also understood to come with key updates to Safari, including differential privacy technology that gathers information on user habits, which will help the tech giant identify problematic websites.

The data-collection technology is aimed at identifying websites that use excessive power and crash the browser through monopolising memory, according to TechCrunch.

Differential privacy is a method for collecting data without taking personally identifiable data. Algorithms obscure user data so none of the information can be traced back to the user.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years