UPDATED with response from Apple.
Apple's new macOS 10.13 High Sierra is only a day old, and it's already been hacked.
A rogue application or other service running on a Mac can easily break into Apple's Keychain password vault and steal all user credentials stored therein, said security researcher Patrick Wardle.
To prevent such attacks, users will have to disable Keychain from automatically unlocking whenever they log into their Macs. On the bright side, Wardle has not disclosed exactly how his attack works, and there's no malware in the wild that's known to use this technique.
MORE: Best Mac Antivirus Software
How to Protect Yourself
Not upgrading to macOS 10.13 High Sierra won't keep you safe from this sort of attack. Wardle said on his blog that the flaw also exists in macOS 10.12 Sierra, and probably on OS X 10.11 El Capitan as well.
What you can do instead is to change the Keychain settings so that Keychain is not automatically unlocked when you log into your Mac. You'll have to log in every time Keychain needs to be accessed, which will be inconvenient, until Apple patches this flaw.
A video (opens in new tab) Wardle posted yesterday (Sept. 25) shows his proof-of-concept malware, called "KeychainStealer," installing on a Mac running High Sierra.
Wardle then scans the machine using the open-source networking utility Netcat, entering a command, and grabbing his own (presumably temporary) passwords for Facebook ("hunter2"), Twitter ("I_do_this_for_followers") and Bank of America ("ShowMeTheMoney$$$").
"As my discovery of this bug and report (in early September) was 'shortly' before High Sierra's release, this did not give Apple enough time to release a patch on time," Wardle explained in a blog posting this morning (Sept. 26) "However, my understanding is a patch will be forthcoming!"
How Keychain works
Mac applications normally can access only their own information in the Keychain, which besides passwords can hold any kind of sensitive information, such as credit-card numbers. Wardle's malware completely bypasses that process.
"Random apps should not be able to access the entire keychain and dump things like plaintext passwords," Wardle wrote on his blog.
Wardle, whose day job is as director of research at Redwood City, California, security firm Synack, didn't get into technical details about how he pulled off the attack. But this isn't the first time he's shown Mac security to be lacking.
"Apple marketing has done a great job convincing people that macOS is secure," Wardle told ZDNet. "I think that this is rather irresponsible and leads to issues where Mac users are overconfident and thus more vulnerable."
The silver lining here is that a random hacker cannot simply log into your Mac from afar and steal your passwords. Rather, the hacker must get you to agree to install the malware, which would probably be masquerading as something else.
You may think "I'm too smart to fall for that." But online criminals know how to fool people by using fake software updates, or, as evidenced by the CCleaner hack just last week, by sneaking malware into legitimate software updates at the source.
Last year, Wardle himself showed how a well-known antivirus product could be exploited to distribute Mac malware.
Apple's solution won't work
Apple has not responded to an email sent by Tom's Guide requesting comment.
However, Apple provided this statement to Ars Technica and to CNET: "MacOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents."
The problem is that Gatekeeper doesn't work very well at keeping out malware, as Wardle and other Mac security researchers have shown time and time again. All Gatekeeper does is check to see whether a new piece of software has been "signed" with a valid Apple developer ID — and anyone can get an Apple developer ID with an email address and $99.
Wardle deliberately didn't sign KeychainStealer with an Apple developer ID because he "merely wanted to show how low the bar was/is set," he explained on his blog.
"Essentially any malicious code can perform this attack," Wardle added. "Yes, this includes signed apps as well!"
UPDATE: Apple responded to our query with the same statement it provided to Ars Technica and CNET, reproduced in full above.