MacOS Keychain Theft Issue Shows You Can’t Just Trust Apple to Keep You Secure

Apple just released macOS High Sierra (10.13), but even the newest version of its operating system is not free of security flaws. A security researcher posted a video showing that malicious applications running on the new OS can silently steal usernames and passwords stored in users' keychains.

Apple intentionally engineered the keychain—a secure container where users and applications can store credentials, secure notes, encryption keys, Wi-Fi passwords and other sensitive information—to require user confirmation before applications can access it. Even when such approval is given, applications can only access information that they previously placed in the keychain themselves.

Here's an older video from antivirus firm Malwarebytes showing how an adware application for OS X was trying to bypass this keychain confirmation prompt by automatically emulating a mouse click on the OK button:

The new issue affecting High Sierra—but also older macOS versions—was found by Patrick Wardle, a former NSA hacker who's now the director of research at penetration testing firm Synack. The attack technique he found allows a malicious application to extract all passwords from a macOS keychain silently in the background, without any user interaction. The application doesn't need to gain any special privileges like root either.

Wardle reported this issue to Apple earlier this month, but said it was probably too late for a fix to be integrated into the final version of the OS, which released on Monday.

Wardle tested his exploit on the GM (Gold Master) candidate for High Sierra, a version that was made available for developers and testers earlier this month. However, he has since confirmed that the exploit also works on the final High Sierra build released to all users yesterday.

The researcher published a video showing how an unsigned application was extracting the keychain data, but the exploit works with signed applications too.

"Unfortunately most macOS malware these days is signed anyway in order to bypass Gatekeeper," Wardle told me.

Apple requires all developers who want to publish an application on the Mac App Store to digitally sign it with a Developer ID, a certificate that's obtained through Apple's developer program. Furthermore, by default, Gatekeeper only allows users to install apps from the App Store and from "identified developers."

To bypass this restriction, over the past few years malware developers have started signing their malicious apps with stolen Apple Developer ID certificates or with certificates they obtained themselves through the developer program. There have even been cases of potentially unwanted applications being found in the App Store, where supposedly they undergo reviews by Apple.

For practical reasons, though, many users do override Gatekeeper and install unsigned applications because there are many legitimate and useful apps that are not signed. This is especially true for apps that perform security-related functions and which wouldn't be allowed in the the App Store.

Wardle is the creator of several free security tools for macOS and even though his applications are signed with a valid Developer ID, they're not in the App Store because Apple's rules for admission are too restrictive.

There have also been cases where attackers compromised the download servers for legitimate applications and replaced their installers with maliciously modified ones. Such attacks affected the popular Transmission BitTorrent client for macOS on two occasions and a video converter app called HandBrake.

This all shows that infecting Macs with malware is not as hard as many users believe and can be done in a variety of ways.

"The main prerequisite for this attack and many other attacks is for malicious code to get on the box," Wardle told me. "My point of view is that once such code has gotten on your box it's pretty much game over. Many of the security mitigations that Apple implements are not that difficult to bypass."

Wardle didn't release any working exploit code or other details that would allow others to exploit the vulnerability. He just published the proof-of-concept video in order to raise awareness.

"I thought it is very important for Mac users to be aware of these risks," he said. "Apple spends a ton of money and time delivering a message to consumers that macOS is incredibly secure. In my personal opinion I don't think that's as honest as it could be, because every time I look at macOS the wrong way something breaks; something falls over."

Wardle thinks that while all operating systems have flaws, many Mac users tend to be overly confident because they believe in Apple's message and think their systems are immune to malware and will protect them.

Mac users should follow the same security best practices as everyone else: keep their software up to date and be careful of what they're downloading and installing, though that can be difficult when legitimate applications like Transmission and HandBrake get compromised, he said.

Another requirement for his attack to succeed is for the keychain to be unlocked, which is the default state of the keychain after the user logs on. Even in this state, applications still need user confirmation to access it so Wardle's attack violates the keychain's expected behavior.

Users can manually lock their keychains using the Keychain Access tool provided by macOS. They can also configure their keychains to become automatically locked if the system is left idle for a period of time. This can be configured by selecting the "login" keychain in the Keychain Access tool, then going to the Edit menu in the upper toolbar and selecting Change Settings for Keychain "login."

"In the Mac world, instances of malware are steadily increasing," antivirus vendor Malwarebytes said in a report released in July. "More new malware families have appeared so far this year than in any other previous year in all the history of Mac OS X, and the year's only half over."

Apple did not respond to a request for comment.