macOS High Sierra Vulnerability Allegedly Allows Malicious Third-Party Apps to Access Plaintext Keychain Data

by

macOS High Sierra, released to the public today, could be impacted by a major security flaw that could allow a hacker to steal the usernames and passwords of accounts stored in Keychain.

As it turns out, unsigned apps on macOS High Sierra (and potentially earlier versions of macOS) can allegedly access the Keychain info and display plaintext usernames and passwords without a user's master password.

Security researcher and ex-NSA analyst Patrick Wardle tweeted about the vulnerability early this morning and shared a video of the exploit in action.


For this vulnerability to work, a user needs to download malicious third-party code from an unknown source, something Apple actively discourages with warnings about apps downloaded outside of the Mac App Store or from non-trusted developers. In fact, Apple does not even allow apps from non-trusted developers to be downloaded without explicitly overriding security settings.

As demonstrated in the video above, Wardle created a proof-of-concept app called "keychainStealer" that was able to access plaintext passwords stored in Keychain for Twitter, Facebook, and Bank of America. Wardle spoke to Forbes about the vulnerability and said it's actually not hard to get malicious code running on a Mac even with Apple's protections in place.

keychainpasswordexploit

"Without root priveleges, if the user is logged in, I can dump and exfiltrate the keychain, including plaintext passwords," Wardle told Forbes. "Normally you are not supposed to be able do that programmatically."

"Most attacks we see today involve social engineering and seem to be successful targeting Mac users," he added. "I'm not going to say the [keychain] exploit is elegant - but it does the job, doesn't require root and is 100% successful."

Wardle has not provided the full exploit code for malicious entities to take advantage of, and he believes Apple will patch the problem in a future update.

As Wardle has not released the full exploit code, it has not been double-checked by MacRumors or another source, so full details on the vulnerability are not known just yet.

Apple has not yet responded to requests for comment about the potential vulnerability.

Related Forum: macOS High Sierra

Popular Stories

WWDC 2025 Sleek Peek

Apple Shares New 'Sleek Peek' Teaser Ahead of WWDC 2025 Next Week

Monday June 2, 2025 8:22 am PDT by
WWDC 2025 is just one week away, with Apple's opening keynote scheduled to begin on Monday, June 9 at 10 a.m. Pacific Time. Ahead of the annual developer conference, Apple updated its WWDC page today with a new "Sleek peek" tagline, which replaces the original "On the horizon" tagline that it used over the past few weeks. The graphic for WWDC 2025 has also been updated. It is now a...
Read Full Article β€’ 81 comments
iCloud General Feature Redux

iPhone Users Who Pay for iCloud Storage Received a New Perk This Year

Sunday June 1, 2025 9:26 am PDT by
If you pay for iCloud storage on your iPhone, Apple introduced an additional perk for you this year, at no additional cost. The perk is the ability to create invitations in the Apple Invites app for the iPhone, which was released in the App Store in February. In the Apple Invites app, iCloud+ subscribers can create invitations for any occasion, such as birthday parties, graduations, baby...
Read Full Article
macOS Tahoe Render

macOS Tahoe Name Leaked Ahead of Apple's WWDC Event Next Week

Sunday June 1, 2025 7:08 am PDT by
The alleged name of macOS 26 (yes) has leaked. In his Power On newsletter today, Bloomberg's Mark Gurman said that macOS 26 will be named macOS Tahoe, after California's scenic Lake Tahoe. Apple previously named its Mac operating systems after big cats like Cheetah, Tiger, Leopard, and Lion. Starting with OS X Mavericks in 2013, however, Apple switched to California-themed names like...
Read Full Article β€’ 151 comments
iPhone 17 Pro Blue Feature Tighter Crop

iPhone 17 Pro Launching Later This Year With These 12 New Features

Tuesday May 27, 2025 9:10 am PDT by
While the iPhone 17 Pro and iPhone 17 Pro Max are not expected to launch until September, there are already plenty of rumors about the devices. Below, we recap key changes rumored for the iPhone 17 Pro models as of May 2025: Aluminum frame: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and iPhone 16 Pro models have a titanium frame, and the iPhone X ...
Read Full Article β€’ 85 comments
28 years later iphone 1

Filmmakers Used 20 iPhones at Once to Shoot '28 Years Later'

Friday May 30, 2025 7:27 am PDT by
Sony today provided a closer look at the iPhone rigs used to shoot the upcoming post-apocalyptic British horror movie "28 Years Later" (via IGN). With a budget of $75 million, Danny Boyle's 28 Years Later will become the first major blockbuster movie to be shot on iPhone. 28 Years Later is the sequel to "28 Days Later" (2002) and "28 Weeks Later" (2007), which depict the aftermath of a...
Read Full Article β€’ 76 comments
iOS 18

What to Expect From iOS 18.6 as One of the Final Updates Before iOS 26

Monday June 2, 2025 12:33 pm PDT by
It has been three weeks as of today since Apple released iOS 18.5, and we are still waiting for the first iOS 18.6 beta to follow. Below, we outline everything we know about iOS 18.6 so far. Timing Apple's software engineers have been internally testing iOS 18.6 since late March, according to the MacRumors visitors logs. The first betas of iOS 13.6 through iOS 16.6 were all released...
Read Full Article β€’ 36 comments
iOS 19 visionOS UI Elements

6 visionOS-Inspired Design Elements Coming to iOS 26

Friday May 30, 2025 3:26 pm PDT by
With iOS 26, macOS 26, tvOS 26, and watchOS 26, Apple is planning to debut a new design that's been described as taking inspiration from visionOS, the newest operating system. With WWDC coming up soon, we thought we'd take a closer look at visionOS and some of the design details that Apple might adopt based on current rumors and leaked information. 1. Translucency Inside Apple, the iOS 26...
Read Full Article β€’ 162 comments

Top Rated Comments

DblHelix Avatar
DblHelix
100 months ago
Would have been great if he contacted Apple before the OS was released. Just looking for attention. Jerk
Score: 58 Votes (Like | Disagree)
sequential Avatar
sequential
100 months ago
Would have been great if he contacted Apple before the OS was released. Just looking for attention. Jerk
1. Would have been even greater if Apple had ppl who found these kind of bugs themselves before release.
2. You don't know if he found this yesterday. But sure hate on the guy who might have prevented your bank account password from ending up in the wrong hands.
Score: 52 Votes (Like | Disagree)
bladerunner2000 Avatar
bladerunner2000
100 months ago
On release day. That's embarrassing.
Score: 38 Votes (Like | Disagree)
carlsson Avatar
carlsson
100 months ago
OMG, to enable this software you have to enter System Preferences, answer YES on two dialogues, and also enter your password. Then it may STEAL your not encoded things stored in the keychain (by default everything is stored encoded). I think I'm going to Windows now. This is just too much!!!

/irony ended
Score: 34 Votes (Like | Disagree)
s15119 Avatar
s15119
100 months ago
sigh. don't download junk, don't jeopardize your computer. Common sense is the best anti-virus.
Score: 21 Votes (Like | Disagree)
bladerunner2000 Avatar
bladerunner2000
100 months ago
If he did find it yesterday, he should have disclosed it to Apple and given them 90 days to fix it.
He doesn't owe Apple anything. Just like Apple doesn't owe him anything. He did them a favour.
Score: 19 Votes (Like | Disagree)
Read All Comments