erase-install Credential Interception Vulnerability on Apple Silicon Macs
Vulnerability
A vulnerability in erase-install versions prior to 40.4 allows for the interception of admin credentials via a named pipe. The issue arises because the application writes swiftDialog credential output to a hardcoded, world-writable path (/var/tmp/dialog.json) on Apple Silicon Macs. An unauthenticated attacker can exploit this by creating a named pipe at the predictable location, intercepting credentials in real time during reinstall or erase operations.
Impact
Exploitation of this vulnerability allows for real-time interception of admin credentials entered during swiftDialog prompts, with the captured data being directed to the attacker's terminal.
Reproduction
To reproduce this vulnerability, an unprivileged user on an Apple Silicon Mac can create a named pipe and a symlink to the predictable dialog output path. When the admin runs the erase-install script with the --erase option, the credentials entered in the swiftDialog prompt will be intercepted through the symlinked path.
Remediation
Users are advised to upgrade erase-install to version 40.4 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.