The Keychain password vulnerability affecting macOS —including High Sierra —was reported to Apple on Sept. 7, and should be fixed by the tech giant soon, Patrick Wardle, the research who first publicized the issue, told Gizmodo.
He reported that code that appeared to extract plaintext passwords from the Keychain. If users opt into using Keychain, they can use it to store their login information, credit cards, and WiFi passwords.
All Keychain info is normally locked down with a user’s master password. However, Wardle was able to extract passwords from the Keychain without entering a master password, showing that an attacker with access to an unlocked computer might be able to steal Keychain data.
“Applications running on your system are able to access all the information in the Keychain without any user interaction,” Wardle told Gizmodo. “There’s a vulnerability that allows local code to access the keychain and bypass the security components.”
He said he won’t make his exploit public until it’s patched. And he doesn’t feel there’s a need to wait to upgrade to High Sierra.
“I think everyone should update. There’s a lot of good built-in security features. This attack works on older versions of Mac OS as well. There’s no reason for people not to upgrade,” Wardle told Gizmodo.