Just hours before Apple is expected to roll out the new version of its desktop and notebook operating system, macOS High Sierra, a security researcher dropped a zero-day.
Patrick Wardle, a former NSA hacker who now serves as chief security researcher at Synack, posted a video of the hack — a password exfiltration exploit — in action.
Passwords are stored in the Mac’s Keychain, which typically requires a master login password to access the vault.
But Wardle has shown that the vulnerability allows an attacker to grab and steal every password in plain-text using an unsigned app downloaded from the internet, without needing that password.
He tweeted a short video demonstrating the hack.
Wardle created a “keychainStealer” app demonstrating an exploit for the vulnerability, which according to the video, can expose passwords to websites, services, and credit card numbers when a user is logged in.
That exploit could be included in a legitimate-looking app, or be sent by email.
In his tweet, Wardle suggested that Apple should launch a macOS bug bounty program “for charity.” Right now, Apple only has a bug bounty for iPhones and iPads, which pays up to $200,000 for high-end secure boot firmware exploits.
It’s the second zero-day that Wardle found for the operating system this month — the first shows how the new software’s secure kernel extension loading feature is vulnerable to bypass.
Apple did not respond to a request for comment at the time of writing.