CATEGORIES
home News

Apple Acknowledges Password Security Flaw In This Week's macOS High Sierra Release

by Shane McGlaunWednesday, September 27, 2017, 08:09 AM EDT

It used to be that Macs were thought to be nearly immune to malware, viruses, and serious security issues. That certainly isn't the case with modern Macs because as the user base has grown, the amount of malware and viruses targeting the platform has also grown. Back in June, we talked about malware-as-a-service attacks targeting Macs. This week Apple launched a new and free update to the macOS called High Sierra. Only a few days after the release of that software, Apple has acknowledged a security flaw in the update.

macs

Reports indicate that programs not approved by Apple might be able to glean passwords from the Mac keychain when you ask the software to remember a password for you. As of now, there is no evidence suggesting that any software has exploited the flaw to steal passwords. Nevertheless the flaw certainly throws some shade on the launch of High Sierra.

If you are downloading all your software via the Mac App Store, you shouldn't have to worry about the security flaw being exploited reports The Washington Post. However, if you frequently download software for third-party locations, you should be concerned. Apple issued a statement that said, "We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents."

The initial warning of the security flaw came from security expert Patrick Wardle on Monday. Wardle offered up a video that shows how the security flaw can be exploited to steal passwords, which you can view below. The hack he devised was able to steal Facebook, Twitter, and Bank of America passwords. Wardle also asks for a macOS bug bounty for charity in the launch process for his app that exploits the flaw called keychainStealer.

Wardle talked to Forbes about the flaw stating, "Without root privileges, if the user is logged in, I can dump and exfiltrate the keychain, including plaintext passwords. Normally you are not supposed to be able do that programmatically." Wardle won't give up the code for this exploit and says that he expects Apple to patch the issue eventually.

Apple normally does not usually speak on security issues until an investigation is over and a patch is ready. Apple's security updates support page states, "For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available."

Tags:  Apple, security, macos, high sierra
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment