“Just as [in] macOS High Sierra, security researcher Patrick Wardle tweeted a previously undisclosed (zero day) vulnerability in Keychain, Apple’s secure credential repository,” Rene Ritchie writes for iMore. “he vulnerability potentially affects a wide range of macOS versions.”
“Wardle is saying that he could put a malicious app on someone’s Mac and then use that app to get around Keychain’s security and pull out usernames and passwords programmatically,” Ritchie writes. “That means Wardle, or someone using the same exploit, would have to use a phishing attack or some form of social engineering to get the malicious app onto your Mac, then use that malicious app to go after your Keychain.”
“It’s a bad bug and one Apple absolutely needs to fix as quickly as possible,” Ritchie writes. “In the meantime, the Keychain vulnerability, isn’t something macOS users should panic about. At least not those used to following the same security best practices everyone in the industry has been talking about for years. Namely, keep Apple’s default Gatekeeper settings enabled and don’t download anything, or click on any links, you don’t absolutely trust.”
Read more in the full article here.
MacDailyNews Note: To make sure Apple’s Gatekeeper settings are enabled, launch System Preferences, click the General tab, and under “Allow apps downloaded from:” check “App Store.”
In System Preferences, you first have to select “Security & Privacy”, under which you’ll find the “General” tab, where you’ll find the “Allow apps downloaded from:” I’m sure it was an unintentional omission in MDN’s Note.
MDN: “click the General tab” should be
“click the Security & Privacy pane then click the General tab….”
This is seriously very serious.
We all open apps that bypass the gate keeper because there are loads of great developers making software that is either not on the App Store or not in the gatekeeper list.
If you know your man you know that all you do to bypass gatekeeper is to select the file right click open this is how you open without all the gatekeeper info appearing and having to unlock your gatekeeper and select to open anyway.
Apple need to make this a super priority as the exploit is easily downloaded and its a very basic exploit to get passwords without jumping any sophisticated hoops.
anyone claiming all that crap about the long winded process needed to install a non gatekeeper app is mistaken and ill informed.
No, we don’t… “we” defined as the vast majority of web surfing email checking game playing macOS users.
I believe Apple intends to fix this BUT when you bypass GateKeeper, you’re putting WHOLE lot of trust in the app you’re installing. Transmit? Handbrake? Both NOT on the App Store and both unintentionally exposed users to an exploit.
It’s not a vulnerability, it’s a feature.