Wardle's malware completely bypasses that process. Mac applications normally can access only their own information in the Keychain, which besides passwords can hold any kind of sensitive information, such as credit-card numbers. 26) "However, my understanding is a patch will be forthcoming!" ![]() "As my discovery of this bug and report (in early September) was 'shortly' before High Sierra's release, this did not give Apple enough time to release a patch on time," Wardle explained in a blog posting this morning (Sept. Wardle then scans the machine using the open-source networking utility Netcat, entering a command, and grabbing his own (presumably temporary) passwords for Facebook ("hunter2"), Twitter ("I_do_this_for_followers") and Bank of America ("ShowMeTheMoney$$$"). 25) shows his proof-of-concept malware, called "KeychainStealer," installing on a Mac running High Sierra. You'll have to log in every time Keychain needs to be accessed, which will be inconvenient, until Apple patches this flaw.Ī video Wardle posted yesterday (Sept. What you can do instead is to change the Keychain settings so that Keychain is not automatically unlocked when you log into your Mac. Wardle said on his blog that the flaw also exists in macOS 10.12 Sierra, and probably on OS X 10.11 El Capitan as well. Not upgrading to macOS 10.13 High Sierra won't keep you safe from this sort of attack.
0 Comments
Leave a Reply. |