macOS High Sierra Vulnerability Allegedly Allows Malicious Third-Party Apps to Access Plaintext Keychain Data

macOS High Sierra, released to the public today, could be impacted by a major security flaw that could allow a hacker to steal the usernames and passwords of accounts stored in Keychain.

As it turns out, unsigned apps on macOS High Sierra (and potentially earlier versions of macOS) can allegedly access the Keychain info and display plaintext usernames and passwords without a user's master password.

Security researcher and ex-NSA analyst Patrick Wardle tweeted about the vulnerability early this morning and shared a video of the exploit in action.


For this vulnerability to work, a user needs to download malicious third-party code from an unknown source, something Apple actively discourages with warnings about apps downloaded outside of the Mac App Store or from non-trusted developers. In fact, Apple does not even allow apps from non-trusted developers to be downloaded without explicitly overriding security settings.

As demonstrated in the video above, Wardle created a proof-of-concept app called "keychainStealer" that was able to access plaintext passwords stored in Keychain for Twitter, Facebook, and Bank of America. Wardle spoke to Forbes about the vulnerability and said it's actually not hard to get malicious code running on a Mac even with Apple's protections in place.

keychainpasswordexploit

"Without root priveleges, if the user is logged in, I can dump and exfiltrate the keychain, including plaintext passwords," Wardle told Forbes. "Normally you are not supposed to be able do that programmatically."

"Most attacks we see today involve social engineering and seem to be successful targeting Mac users," he added. "I'm not going to say the [keychain] exploit is elegant - but it does the job, doesn't require root and is 100% successful."

Wardle has not provided the full exploit code for malicious entities to take advantage of, and he believes Apple will patch the problem in a future update.

As Wardle has not released the full exploit code, it has not been double-checked by MacRumors or another source, so full details on the vulnerability are not known just yet.

Apple has not yet responded to requests for comment about the potential vulnerability.

Related Forum: macOS High Sierra

Popular Stories

apple wallet drivers license feature iPhone 15 pro

iPhone Driver's Licenses: These 17 U.S. States Offer Them or Will Later

Thursday June 19, 2025 11:28 am PDT by
In select U.S. states, residents can add their driver's license or state ID to the Wallet app on the iPhone and Apple Watch, providing a convenient and contactless way to display proof of identity or age at select airports and businesses, and in select apps. Unfortunately, this feature continues to roll out very slowly since it was announced in 2021, with only nine U.S. states and Puerto...
apple watch ultra 2 new black

Apple Watch Ultra 3 Finally Coming After Two-Year Hiatus

Monday June 16, 2025 8:45 am PDT by
Apple will finally deliver the Apple Watch Ultra 3 sometime this year, according to analyst Jeff Pu of GF Securities Hong Kong (via @jukanlosreve). The analyst expects both the Apple Watch Series 11 and Apple Watch Ultra 3 to arrive this year (likely alongside the new iPhone 17 lineup, if previous launches are anything to go by), according to his latest product roadmap shared with...
iPhone 17 Pro Blue Feature Tighter Crop

iPhone 17 Pro Launching in Three Months With These 12 New Features

Saturday June 14, 2025 5:45 pm PDT by
The iPhone 17 Pro and iPhone 17 Pro Max are three months away, and there are plenty of rumors about the devices. Below, we recap key changes rumored for the iPhone 17 Pro models as of June 2025:Aluminum frame: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and iPhone 16 Pro models have a titanium frame, and the iPhone X through iPhone 14 Pro have a...
ios 26 call holding

iOS 26 Beta is Hiding a New Ringtone — Here's What It Sounds Like

Thursday June 19, 2025 7:25 pm PDT by
Apple is hiding a new ringtone within iOS 26. The new ringtone is an alternative version of the existing Reflection ringtone, which has been the default ringtone since the iPhone X was released in 2017. It was discovered within the code for the first developer beta of iOS 26, but it remains hidden, so you will not find it in the list of ringtones available in the Settings app for now. It...
iOS 18

Apple Releases iOS 18.6 Public Beta

Wednesday June 18, 2025 10:24 am PDT by
Apple today seeded the first betas of upcoming iOS 18.6 and iPadOS 18.6 updates to public beta testers, with the betas coming just a few days after Apple provided the betas to developers. Testers who have signed up for beta updates through Apple's beta site can download iOS 18.6 and iPadOS 18.6 from the Settings app on a compatible device by going to General > Software Update. When the...
General Spotify Feature

Spotify Preparing to Launch Long-Awaited Lossless Audio Tier on iPhone

Thursday June 19, 2025 1:46 pm PDT by
Spotify appears to be gearing up to launch its long-awaited lossless music tier. Chris Messina (via TechCrunch) and Spicetify (via The Verge) spotted new lossless references within the code for Spotify's desktop app and web player. With assistance from Aaron Perris, MacRumors has confirmed that the latest beta of the Spotify app for the iPhone also contains new lossless-related code....
new iphone lockscreen ios 26

iOS 26: Five Changes Coming to Your iPhone Lock Screen

Tuesday June 17, 2025 8:46 am PDT by
With iOS 26, Apple has made some additions to the iPhone Lock Screen that aim to make it more customizable than ever. Of course, things can always change before the software makes its way to the general iPhone-owning public, but here are five new things iOS 26 can do on the Lock Screen as of the current developer beta. Widgets Top or Bottom In iOS 18, the row of widgets on your Lock...
iOS 26 on Three iPhones

Apple Says iOS 26 Won't Be Available on These iPhone Models

Tuesday June 10, 2025 6:58 am PDT by
Apple this week revealed that iOS 26 is compatible with the iPhone 11 series and newer. That means that iOS 18 is the end of the road for the iPhone XS, iPhone XS Max, and iPhone XR, which were all released in 2018. However, those devices will continue to receive security updates for at least a few more years. iOS 26 is compatible with the following iPhone models: iPhone 16e iPhone...
Craig Federighi No

John Gruber Reacts to Apple Declining His Interview After His Criticism

Wednesday June 18, 2025 8:10 pm PDT by
Every year between 2015 and 2024, at least one Apple executive agreed to be interviewed by Daring Fireball's John Gruber for a special WWDC episode of his podcast, The Talk Show. Last year, for example, Apple's software engineering chief Craig Federighi, marketing chief Greg Joswiak, and top AI researcher John Giannandrea joined Gruber on stage at the California Theatre in San Jose to discuss...

Top Rated Comments

DblHelix Avatar
101 months ago
Would have been great if he contacted Apple before the OS was released. Just looking for attention. Jerk
Score: 58 Votes (Like | Disagree)
sequential Avatar
101 months ago
Would have been great if he contacted Apple before the OS was released. Just looking for attention. Jerk
1. Would have been even greater if Apple had ppl who found these kind of bugs themselves before release.
2. You don't know if he found this yesterday. But sure hate on the guy who might have prevented your bank account password from ending up in the wrong hands.
Score: 52 Votes (Like | Disagree)
bladerunner2000 Avatar
101 months ago
On release day. That's embarrassing.
Score: 38 Votes (Like | Disagree)
carlsson Avatar
101 months ago
OMG, to enable this software you have to enter System Preferences, answer YES on two dialogues, and also enter your password. Then it may STEAL your not encoded things stored in the keychain (by default everything is stored encoded). I think I'm going to Windows now. This is just too much!!!

/irony ended
Score: 34 Votes (Like | Disagree)
s15119 Avatar
101 months ago
sigh. don't download junk, don't jeopardize your computer. Common sense is the best anti-virus.
Score: 21 Votes (Like | Disagree)
bladerunner2000 Avatar
101 months ago
If he did find it yesterday, he should have disclosed it to Apple and given them 90 days to fix it.
He doesn't owe Apple anything. Just like Apple doesn't owe him anything. He did them a favour.
Score: 19 Votes (Like | Disagree)