Take the Stress Out of Your Business Technology. Contact Us at (613) 634-8125.

A Bug in the Apple?  

High Sierra’s Password Theft Vulnerability

Learn how a macOS update named High Sierra can leave your passwords vulnerable to theft. 

Apple Bug

As this tech giant usually does before a new release, Apple generated massive excitement over High Sierra. This free upgrade for macOS includes an extra two gigs of memory and plenty of new or updated features. According to Apple, some of the highlights of High Sierra include better video streaming, new graphics editing features, and more efficient data storage. Apple also says that some of the changes will also help pave the way for future innovations. It’s easy to understand why this company’s customers wait eagerly for updates to their devices.

Still, shortly after the recent release, the apple may have turned a bit sour for some people. The Washington Post and other news outlets reported on a serious security vulnerability. Hackers can potentially craft apps that can steal stored passwords from the device. Some outside security experts expressed disappointment that Apple knew about the vulnerability before the release and did not rush out a patch.

How Can Hackers Steal Passwords With High Sierra?

To understand how hackers can steal passwords from High Sierra, it helps to understand a little bit about how the operating system stores them. If you already use devices with macOS, you may already understand that:

  • You have a master password for your device.
  • You also can have your device store various passwords for apps and websites in something that Apple calls the “keychain.”
  • This convenience keeps you from having to remember all of the passwords you might use, and you can find similar features on almost all sorts of devices and operating systems.

The problem is that if you use unsigned apps or those that aren’t approved for distribution within the Apple Store, those apps may be able to pull the passwords out of your keychain without knowing your master password. A security researcher named Patrick Wardle uncovered this exploit, made his discovery public, and even informed Apple about it in advance of the public release. Wardle says the vulnerability allows hackers to pull out passwords as text so anybody can read them.

Since the release, he has expressed disappointment that the company did not patch the problem but assumes that they will eventually. He also said that this vulnerability could affect older versions of macOS and even OS-X.

How Can You Protect Your Passwords With High Sierra?

If you try to install an unsigned app, the operating system will warn you. Apple’s response to Wardle and the public was that they have always advised their customers to only download signed apps from the Apple Store. A company spokesman said that they encourage their customers to refuse any app that triggers a warning that it has not been certified by Apple and that this measure can help keep devices from getting infected with malware.

Until Apple releases a patch and perhaps, even afterward, you might protect yourself by:

  • Only downloading trusted apps
  • Making certain that you only have trusted apps already downloaded on your devices
  • Running antivirus scans

Is Your Mac Safe When You Only Download Signed Apps?

Even if you take care to only download signed apps, you won’t have a guarantee that your device is completely safe. The problem is that it’s possible for a clever cybercriminal to inject the exploit into a digitally signed application with falsified or stolen credentials. In fact, a security company uncovered this very thing as recently as March of 2017. Obviously, this was several months before the release of High Sierra.

The security company, Sixgill, said that their researchers found an online discussion of a remote attack Trojan, appropriately called a RAT, on an underground forum that exists for buying and selling digital exploits. Some of the most damaging features of this malware include controlling cameras, keylogging, and executing remote commands. However, Sixgill said the most alarming thing about the app is that it appeared to have a legitimate digital signature and would not trip any sort of warning message when installed. Somehow, the author of the malware managed to bypass or defraud Apple’s normal filters.

Can You Keep Your Apple Devices Secure?

Anyway, these stories are not meant to alarm anybody or contend that one operating system has more vulnerabilities than another one. Apple and its competitors typically do a good job of staying on top of security vulnerabilities as they are uncovered. It’s just possible that nobody can really offer you any 100-percent-foolproof cybersecurity guarantees. Typically, your security will depend upon a combination of your prudence when downloading apps, applying released security patches, and using security software.

We are here to keep your valuable information as secure as informed people and modern technology will allow. Here at Onserve in Eastern Ontario, we’re waiting to help protect you, your data, and your devices. You can call us at (877) 996-6622 or send an email to sales@onserve.ca to get in touch with us.