Juli Clover, MacRumors:
macOS High Sierra, released to the public today, could be impacted by a major security flaw that could allow a hacker to steal the usernames and passwords of accounts stored in Keychain.
Here’s the tweet that brought this to light:
on High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext passwords)??? vid: https://t.co/36M2TcLUAn #smh pic.twitter.com/pqtpjZsSnq
— patrick wardle (@patrickwardle) September 25, 2017
The timing of this reveal is terrible, as it coincides with the release of macOS High Sierra. I know a number of people who have held off updating for just this reason.
Don’t let this story stop you from updating:
This exploit is said to effect earlier versions of macOS as well. If you are on Sierra and considering updating, you are already as vulnerable as you would be if you updated.
Apple is said to be working on a fix and Patrick Wardle has said he will not release details of the exploit until the fix patch is available.
Add to that:
For this vulnerability to work, a user needs to download malicious third-party code from an unknown source, something Apple actively discourages with warnings about apps downloaded outside of the Mac App Store or from non-trusted developers.
To be clear, do your research and a full backup before you update. I’ve done my homework and, once I finish this morning’s Loop posts, will hit the return key and start my update. I will definitely update on Twitter as I go. Hopefully, the update will be trouble-free. Fingers are crossed.