Hours before Apple was supposed to launch its new macOS version — codenamed High Sierra (10.13) — Patrick Wardle, a well-known Apple security researcher, former NSA hacker, and Chief Security Researcher at Synack, published a video demonstrating a zero-day exploit in the company's upcoming OS.

The video, embedded below, shows an application downloaded on the user's workstation exploiting an unknown flaw to dump the content of the user's Keychain file in cleartext.

Keychain is a macOS application that stores passwords and account information, working similar to a local password and identity manager. All information stored in the Keychain app is encrypted by default, preventing other users or third-party apps from accessing this data without permission.

Attackers can use zero-day to steal users' Keychain passwords

"The exploit works by exploiting an implementation flaw in the OS," Wardle told Bleeping Computer in a private conversation. "It's macOS only (not iOS), but I believe it affects all recent versions of the OS."

"I haven't tested it with apps from the App Store, but any other code on the box (i.e. it's not a remote attack) can access and dump the user's Keychain [using the exploit]," Wardle added. The exploit also doesn't require root access.

Wardle says the zero-day he discovered can be used by malware or other malicious apps to dump passwords from the Keychain, which later can be exfiltrated to a remote server and used by the hackers.

Researcher reported zero-day to Apple

"I responsibly disclosed the bug to Apple - along with exploit code, and very detailed writeup," Wardle told Bleeping. "So, as far as I know, they are working on a patch."

"Apple marketing has done a great job convincing people that macOS is secure. And I think that this is rather irresponsible and leads to issues where Mac users are overconfident and thus more vulnerable," Wardle said. "My goal is simply to raise awareness."

"As a passionate Mac user, I'm continually disappointed in the security of macOS. I don't mean that to be taken personally by anybody at Apple - but every time I look at macOS the wrong way something falls over. I felt that users should be aware of the risks that are out there," Wardle told Bleeping.

Second High Sierra zero-day Wardle disclosed this month

The Keychain vulnerability is, in fact, Wardle's second zero-day the expert revealed in macOS High Sierra this month.

At the start of September, Wardle picked Apple's new OS apart by showing that attackers could bypass a new security feature added in High Sierra.

Wardle found a way to bypass the new "Secure Kernel Extension Loading" (SKEL) feature added in High Sierra, which would allow attackers to load malicious kernel extensions and take over a user's device.

Image and video credits: Patrick Wardle