back to article Mac High Sierra hijinks continue: Nasty apps can pull your passwords

A security shortcoming in earlier versions of OS X has made its way into macOS High Sierra despite an expert's best efforts to highlight the flaw. Patrick Wardle, of infosec biz Synack, found that unsigned, and therefore untrustworthy, applications running on High Sierra, aka macOS 10.13, were able to quietly access sensitive …

  1. Anonymous Coward
    Anonymous Coward

    At least it takes some effort to install such apps..

    But it's still not good news - well found. I hope they fix this soon.

    That said, I hope they fix it in Sierra first, I'll wait with High Sierra until it has a few months under its belt. Changing a file system is not a trivial exercise. Running it on iOS isn't quite the same.

    1. jdoe.700101

      Re: At least it takes some effort to install such apps..

      I'd like it to be fixed in El Capitan too, as my 2008 MacPro can go no further, and I'm still waiting for Apple to offer a suitable replacement. i.e. lots of memory & internal disks.

      1. lglethal Silver badge
        Trollface

        Re: At least it takes some effort to install such apps..

        "I'm still waiting for Apple to offer a suitable replacement. i.e. lots of memory & internal disks."

        You might be waiting a while...

      2. djstardust

        Re: At least it takes some effort to install such apps..

        My 2009 Mac Pro has had Windows 7 ultimate on it for years and it's flawless.

  2. Anonymous Coward
    Anonymous Coward

    Plaintext passwords??

    "Obviously, random apps should not be able to access the entire keychain and dump things like plaintext passwords"

    Passwords shouldn't be stored as plain or in reversably encrypted text in the first place! Unix had this covered back in the 70s, wtf are Apple up to?

    1. jdoe.700101

      Re: Plaintext passwords??

      Unfortunately hashed passwords don't work so well if you are using them to connect to things such as Wi-Fi base stations, mail servers, etc...

      1. Anonymous Coward
        Anonymous Coward

        Re: Plaintext passwords??

        Fair enough, I thought it was refering to system user passwords.

    2. FuzzyWuzzys

      Re: Plaintext passwords??

      That's the whole idea of a locked keychain, sensitive information that has to remain "as-is" but still has to be made available on request, however not to any app willy-nilly as is happening now.

    3. Ilsa Loving

      Re: Plaintext passwords??

      They are not stored in plaintext. The issue is that once the keychain is unlocked (which happens automatically when you log in, there's not a lot stopping programs from accessing it.

  3. Anonymous Coward
    Anonymous Coward

    Apple could always get Deloitte in to audit their security.

    1. Mike Richards Silver badge

      TalkTalk are also available and it would cut out the middle man when it comes to cold calling potential victims.

  4. An nonymous Cowerd

    only "signed apps" mentality?

    in the current level of 'web-of-trust' I suppose this is better than nothing, but as https://www.eff.org/files/colour_map_of_CAs.pdf (pdf 132kb) shows, there are quite a few interesting people who can and have signed malware. [malware laden CCleaner version 5.33.6162 was certificated/signed by a valid digital signature issued as a Symantec Class3 SHA256 certificate expiry 10/10/2018 ]

    personally I set the mac firewall to "not allow signed software to receive incoming", and I further set the system to "only allow apps d/l from the app-store". [ctrl+right-click to allow the odd unsigned but plausible binary install, having usually thrown it at virustotal.com first for a check - one minority-report case where 56 out of 57 votes are sometimes wrong!]

    1. ThomH Silver badge

      Re: only "signed apps" mentality?

      The exploit isn't public so this is speculation at best but it sounds to me like the signed/unsigned distinction is a bit of a red herring here. As per the article "[n]ormally, apps, even signed trusted ones, trigger a prompt to appear on screen when touching the operating system's Keychain database"; it sounds to me like he's found a security exploit and, separately, demonstrated that the exploit is present whether your app is signed or unsigned.

      I take that to mean: Apple made an implementation mistake somewhere, which is orthogonal to signing. I don't think signing is meant to be Apple's solution to guarding the Keychain.

      Also although special rules apply for kernel extensions, I think anybody who pays $99 gets a signing certificate, no questions asked. Signed apps are more heavily sandboxed (e.g. no access to a directory unless the user has used the OS-provided file dialogue to open a file from there) but nevertheless that'd be the worst web of trust ever. Apple seems more interested in having permission they can revoke than in vetting those who want it in the first place — and if it makes some money too, fantastic.

  5. DuncanLarge

    High Sierra CD-ROM

    Everytime I read ANYTHING about High SIerra this is what first comes to mind:

    https://en.wikipedia.org/wiki/High_Sierra_Format

    I must be showing my age!

    1. Anonymous Coward
      Anonymous Coward

      Re: High Sierra CD-ROM

      Not your age - your maturity...

    2. Anonymous Coward
      Anonymous Coward

      Re: High Sierra CD-ROM

      I knew I'd heard it before.

      Ahh brings back memories of the good old Rainbow Book standards.

      1. kain preacher

        Re: High Sierra CD-ROM

        Same here. Romeo or Juliet standard ?

  6. Anonymous Coward
    Anonymous Coward

    so, i use macupdate and have been so for many years. i download apps from there and only will but im asking this, can this application and the application posted on the website pose risks to my credit cards, passwords and other personal information? thanks.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021