New macOS 'High Sierra' bug could let hackers steal your passwords - should you update?

A security vulnerability in Apple's new "High Sierra" operating system (OS) which could be exploited to leak your passwords was disclosed this week by a former US National Security Agency (NSA) hacker, mere hours before the software update was released to the public.

Patrick Wardle, who is now the director of research at security firm Synack, tweeted about the flaw on 25 September and released a video of the hack in action. He said the bug could, under certain circumstances, be used to steal Facebook credentials and banking details.

The attack that Wardle developed was dubbed "KeychainStealer" because it targeted the repository where your most sensitive information is stored.

But the security expert stressed that High Sierra was not the only piece of software that is vulnerable.

He warned that the new Apple exploit would work just as well against some prior versions of iOS for Macs.

"Malicious non-privileged code (or apps) could [...] access the keychain and dump all this data including your plain text passwords," Wardle wrote in a post detailing his discovery on 26 September.

"[Keychain] is where Apple stores a lot of your sensitive data. Malware or hackers would love to steal this juicy information!" he added (via Patreon).

For the attack to work, a hacker must first infect your Mac with malware, which could easily be done using booby-trapped emails, malicious links or website pop-ups.

While the incident is concerning for users, the existence of the flaw should not deter you from updating to the latest macOS, which is available now as a free download.

"Best bet - don't get infected," Wardle wrote. "This means run the latest version of macOS and don't run random apps from emails or the web. Also, this attack requires that the keychain is unlocked.

"By default the keychain is unlocked when the user logs in.

"However, you can change the keychain password so it is not automatically unlocked during login, or, via the Keychain Access app, lock the keychain while you are not using it."

In a statement, an Apple spokesperson said: "MacOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval.

"We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents."

So yes, the bug exists. But yes, you should still update.

Apple's team will be at work on a new patch and – as detailed on its support page – the High Sierra OS fixes a number of other security issues. In short, holding off will not make your computer safer but will actually leave you open to attack from already-resolved problems.