Time to install those updates! Last week, we warned you that a bug in High Sierra made it possible for an attacker to extract passwords from Apple’s Keychain in plaintext. The bug was discovered and reported by Synack head researcher Patrick Wardle in early September, and now Apple has issued a patch for the issue.
Photo: Getty
[referenced url=”https://gizmodo.com.au/2017/09/high-sierra-reportedly-has-a-password-problem/” thumb=”https://i.kinja-img.com/gawker-media/image/upload/t_ku-large/lkr6rpudfqwv6jpgn12q.jpg” title=”High Sierra Reportedly Has A Password Problem” excerpt=”Apple’s latest macOS, High Sierra, rolls out today with plenty of nice security upgrades, including weekly firmware validation. But the new OS apparently comes with a security problem, too — a security researcher at Synack has already discovered a way to snatch passwords from High Sierra.”]
“A method existed for applications to bypass the keychain access prompt with a synthetic click. This was addressed by requiring the user password when prompting for keychain access,” Apple says in the release notes for the update.
High Sierra 10.13 also comes with another important security update that you’ll want to grab as soon as possible. Security researcher Matheus Mariano discovered that, if he used a password hint to remind him of his encryption password for an Apple File Systems volume, the password itself would be displayed instead of the hint.
Tried myself & it’s true: #HighSierra shows the #APFS volume password as hint. Persists reboots, not stored in keychain. Wow. Just wow. pic.twitter.com/FkcHI9KHl9
— Felix Schwarz (@felix_schwarz) October 5, 2017
Installing the update will fix this, but Apple has a whole list of steps you should follow as well, including changing passwords for encrypted APFS volumes.