1 min read

0-day flaw in macOS High Sierra lets hackers dump all passwords from keychain

Filip TRUȚĂ

August 14, 2018

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
0-day flaw in macOS High Sierra lets hackers dump all passwords from keychain

Apple prides itself on the airtight security offered by its family of products, including the Mac operating system, macOS. But while considerably less targeted by hackers, macOS is still vulnerable to attacks – especially when a bad actor comes at it with an exploit that takes advantage of a zero-day vulnerability.

Ex-NSA hacker Patrick Wardle demonstrated just that at the Def Con conference in Vegas, when he showed that macOS High Sierra (the current version of Apple”s Mac operating system) is vulnerable to attacks involving “synthetic clicks.”

macOS is rich in Accessibility features, and one of these abilities is the nifty trick of making mouse-clicks without actually touching the mouse – everything happens in the software. Wardle found that an unpatched 0-day flaw can be exploited to virtually click objects and gain access to password protected areas. In fact, he found a way to dump all passwords from the keychain and bypass 3rd-party security tools.

“Via a single click, countless security mechanisms may be completely bypassed,” says Wardle. “Run untrusted app? click …allowed. Authorize keychain access? click …allowed. Load 3rd-party kernel extension? click …allowed. Authorize outgoing network connection? click …allowed. Luckily security-conscious users will (hopefully) heed such warning dialogues—stopping malicious code in its tracks. But what if such clicks can be synthetically generated and interact with such prompts in a completely invisible way?”

See his presentation slides here for the full scoop. Apple has reportedly patched the bug in its upcoming macOS Mojave, which is currently in beta.

tags


Author



Right now

Top posts

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read
What Is a VPN, How Does It Protect Me, and What Cool Perks Does it Offer?

What Is a VPN, How Does It Protect Me, and What Cool Perks Does it Offer?

September 23, 2021

2 min read
Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Tesla reverses "Full self-driving" beta update after sudden braking reports Tesla reverses "Full self-driving" beta update after sudden braking reports
Graham CLULEY

October 27, 2021

2 min read
Ukrainian Police Arrest Underground Darknet Group Laundering Cryptocurrency for Hackers Ukrainian Police Arrest Underground Darknet Group Laundering Cryptocurrency for Hackers
Silviu STAHIE

October 26, 2021

1 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords
Filip TRUȚĂ

October 26, 2021

3 min read