Just hours before Apple is expected to roll out the new version of its desktop and notebook operating system, macOS High Sierra, a security researcher dropped a zero-day.
Patrick Wardle, a former NSA hacker who now serves as chief security researcher at ‎Synack, posted a video of the hack -- a password exfiltration exploit -- in action.
Passwords are stored in the Mac's Keychain, which typically requires a master login password to access the vault.
But Wardle has shown that the vulnerability allows an attacker to grab and steal every password in plain-text using an unsigned app downloaded from the internet, without needing that password.
Wardle tested the exploit on High Sierra, but said that older versions of macOS and OS X are also vulnerable.
Wardle created a "keychainStealer" app demonstrating a local exploit for the vulnerability, which according to the video, can expose passwords to websites, services, and credit card numbers when a user is logged in.
That exploit could be included in a legitimate-looking app, or be sent by email.
"If I was an attacker or designing a macOS implant, this would be the 'dump keychain' plugin," said Wardle.
He reported the bug to Apple earlier this month, "but unfortunately the patch didn't make it into High Sierra," he said, which was released Monday.
"As a passionate Mac user, I'm continually disappointed in the security of macOS," he said. "I don't mean that to be taken personally by anybody at Apple -- but every time I look at macOS the wrong way something falls over. I felt that users should be aware of the risks that are out there I'm sure sophisticated attackers have similar capabilities."
"Apple marketing has done a great job convincing people that macOS is secure, and I think that this is rather irresponsible and leads to issues where Mac users are overconfident and thus more vulnerable," he added.