Apps, Computers, Mac, macOS, News, Software

Password Exfiltration Exploit Steals Keychain Passwords In macOS


Exfiltration Exploit

Shortly before Apple released the new macOS High Sierra, a vulnerability hack was discovered. Patrick Wardle, a former NSA hacker posted a video of a password exfiltration exploit. Mr. Wardle is currently the chief security researcher at Synack. The exploit goes after the Mac’s Keychain where passwords are stored. Normally, access to Keychain is granted with a user-defined master password.

Unsigned Apps

Mr. Wardle demonstrated that a hacker can steal every password stored in your Mac’s Keychain without using the master password. An unsigned app that Wardle created was all that was needed. The exploit could be incorporated into an app that looks perfectly legitimate.  It could also be circulated via email as an attachment. What’s disturbing about this discovery is that it apparently works on earlier versions of the macOS as well.

Here’s a video of the exploit in action:

Steal y0 (macOS) Keychain from patrick wardle on Vimeo.

Apple’s Response

Apple responded in a statement to CNET:

“MacOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.”

Where Do We Go From Here?

This kind of leaves us in the dark as to whether or not Apple plans to release a patch anytime soon. The statement made no mention of a patch to address this vulnerability. For now, it appears that Apple is leaving it up to its users to protect themselves from this potentially serious problem.

While speaking with Forbes, Patrick Wardle stated that “the exploit works as long as a person is logged in, and doesn’t require root access”.

It appears that the exploit relies on the user ignoring Mac Gatekeeper warnings about the danger of installing unsigned apps.

Personally, I will continue to be vigilant by not installing anything suspicious, especially unsigned apps. Or opening suspicious email attachments. I will also pay close attention to system warnings. Since this vulnerability exists in my current and earlier versions of macOS I will download High Sierra. I will install it, run it, and enjoy all it has to offer.  However, I would feel a lot better knowing that Apple has our backs and releases a patch sometime soon.

Previous ArticleNext Article
Carmine Delligatti-Drummer, former Support Manager for Deneba Software, ACD Systems, Mareware, Inc. and Swiss Made Marketing. Avid technology blogger and Managing Editor of