Apple’s latest macOS, High Sierra, rolls out today with plenty of nice security upgrades, including weekly firmware validation. But the new OS apparently comes with a security problem, too — a security researcher at Synack has already discovered a way to snatch passwords from High Sierra.
Patrick Wardle, the head of research at Synack, revealed the issue today in a video where he demonstrated code that appeared to extract plaintext passwords from the Keychain. If users opt into using Keychain, they can use it to store their login information, credit cards and Wi-Fi passwords.
Normally, all Keychain information is locked down with a user’s master password. But Wardle was able to extract passwords from the Keychain without entering a master password, showing that an attacker with access to an unlocked computer might be able to steal Keychain data.
Wardle’s walk-through video demonstrates his “keychainStealer” app and shows it pulling plaintext passwords for Twitter, Facebook and Bank of America. He hasn’t made the exploit public, so users shouldn’t be at risk.
Gizmodo contacted Apple and Wardle for comment but had not heard back at time of writing.