Apple announced today that its new macOS High Sierra is available as a free update.
Within hours, a security researcher claims to have found something else free for the taking: the passwords users store in their keychain on Macs using the new OS.
In the video, you can see researcher Patrick Wardle exploit the apparent vulnerability as he snags keychain stored passwords for Twitter, Facebook, and Bank of America.
"High Sierra is vulnerable to an exploitable implementation flaw that allows unsigned non-priv'd apps (i.e. downloaded from the internet) to programmatically dump & exfiltrate your keychain (including plaintext passwords)." his video description says.
The researcher also told Forbes, "I'm not going to say the [keychain] exploit is elegant, but it does the job, doesn't require root and is 100% successful."
Will a fix show up in the next version of High Sierra? We shall see.