A new macOS vulnerability has been discovered to compromise Keychain passwords. The newly-released High-Sierra is affected by the said threat.
Security researcher Patrick Wardle found out that the new security hole on macOS allow apps to access passwords in plain text format despite being protected by Apple's Keychain system. Along with the older operating system versions the latest upgrade High Sierra, which was released on Tuesday, September 26, was also affected.
Wardle first informed Apple regarding the vulnerability on September 7. The California-based tech giant has not yet issued a security patch but is expected to release a fix soon through an over-the-air update.
Credentials under Keychain are normally protected by 256-bit AES encryption, making it difficult for hackers to crack. Authorised apps are the ones that can access the data. However, in Wardle's demo, he was able to access credentials for Facebook, Twitter and even Bank of America using the app he created. Wardle, of course, did not publicise how he was able to crack them open.
Despite High Sierra still affected by the vulnerability, Wardle urges Mac users to update their operating system as it has "a lot of good built-in security features".
"I think everyone should update. There's a lot of good built-in security features," says Wardle. "This attack works on older versions of macOS as well. There's no reason for people not to upgrade."
MacOS High Sierra is now available for download from the Mac App Store.