Apple Inc. launched a new version of its macOS operating system Monday but in an interesting twist it has been revealed to have massive, gaping security hole.

The epic fail was identified by Patrick Wardle, a former National Security Agency analyst and now head of research at security firm Synack Inc., who warned on Twitter that in High Sierra, the new macOS, unsigned apps can programmatically dump and exfiltrate plain text passwords from the Mac keychain.

To demonstrate the High Sierra vulnerability, Wardle created an app he dubbed “keychainStealer” that in the video below shows how easy it is to obtain not only passwords to websites and services from macOS users but also stored credit card numbers as well.

The code for keychainStealer is said to be easily bundled with other Mac software and programmed to send the details back to a command-and-control server.

“Without root privileges, if the user is logged in, I can dump and exfiltrate the keychain, including plaintext passwords,” Wardle told Forbes in an interview. “Normally you are not supposed to be able do that programmatically.”

He added that “most attacks we see today involve social engineering and seem to be successful targeting Mac users. I’m not going to say the [keychain] exploit is elegant – but it does the job, doesn’t require root and is 100 percent successful.”

Apple Mac users have been, generally speaking, mostly immune to hacking and exploit attacks, with recently published research from Carbon Black Inc. noting that 99 percent of all ransomware attacks target Microsoft products “with Mac users virtually untouched.”

That said, macOS is not nor has ever been 100 percent safe. In February, a form of ransomware targeting Mac users called “Patcher” was detected in the wild, while Russians were blamed for a form of macOS malware detailed by security researchers the same month.

Apple has not publicly commented on the vulnerability, but presumably will issue a security patch at some point in the near future.

Photo: choubistar/Flickr