Jump to content
Phishing Emails & YouTube Messages - Fake Giveaway Read more... ×
Search In
  • More options...
Find results that contain...
Find results in...
DrMacintosh

Researcher demos new macOS Keychain exploit, holds data from Apple

Recommended Posts

Posted · Original PosterOP

A security researcher has revealed a new exploit in Keychain.app (a password and credential managment software introduced in macOS 9) but is opting to keep the details of this exploit hidden from Apple. 

Quote

A demo app, "KeySteal," is able to extract login and System passwords from Keychain without any administrator privileges, and regardless of whether System Integrity Protection or Access Control Lists are configured, according to Linuz Henze. Items in the iCloud Keychain are immune, Henze told Heise.

The bad news is that macOS has a security exploit, the good news is that it only effects local passwords. This means that all but those who chose to manually disable iCloud (something you should never do for a multitude of reasons), are not affected by this supposed threat. I say "supposed threat" because there is no demoed replicability and there was no demo of the application getting any new passwords, leaving the possibility of this being fake. 

 

This exploit has not been deployed as far as I know. 

 

The analyst claims to be withholding details of the exploit from Apple, citing that the Bug Bounty Program does not include macOS exploits (which in my opinion it should).

Quote

Henze's protest stems from the fact that the company's bug bounty program only covers iOS, not macOS. Independent researchers can be dependent on such payouts.
 

When Apple developed iCloud in iOS 5, they included Keychain functionality. Since iOS 5, users of the Apple ecosystem have not needed a password manager and as iOS continued to mature, its auto-fill features made iCloud Keychain more and more convenient. This means that the vast majority of users only have password data stored in iCloud and their information is perfectly safe. 

 

Source: http://appleinsider.com/articles/19/02/06/researcher-demos-new-macos-keychain-exploit-holds-data-from-apple-in-protest


Laptop: 2016 13" nTB MacBook Pro Core i5 | Phone: iPhone 6s Plus 64GB Wearables: Apple Watch Sport Series 2 CPU: R5 2600 | Mobo: ASRock B450M Pro4 | RAM: 8GB 2666 | GPU: Sapphire Nitro+ RX 580 4GB | Case: Apple PowerMac G5 | OS: Win 10 | Storage: 480GB PNY SSD & 2TB WD Green HDD | PSU: Corsair CX600M | Display: Dell UZ2215H 21.5" 1080p, ViewSonic VX2450wm-LED 23.6" 1080p, Samsung SyncMaster 940BX 19" 1024p | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G303 | Audio: Audio Technica ATH-M50X & Blue Snowball

 

Link to post
Share on other sites
2 minutes ago, DrMacintosh said:

manually disable iCloud (something you should never do)

Having passwords stored on anything other than local machines is something you should never do.


Seagull eat fish. But fish belong to Mafia. Mafia punch seagull for not respecting Mafia. Seagull say "No, please! I have child!"

Mafia punch seagull with child.

 

 

 

 

 

 

 

 

Pyo.

Link to post
Share on other sites

are the passwords for email accounts affected? you know the accounts for Apple Mail?


DISCLAIMER: ANYTHING I SAY COULD BE WRONG. DO YOUR OWN RESEARCH! 

PC: 2X XEON X5650 | GTX 690 | 2X 240GB SSD | 24GB RAM Windows 10

MacBook: I5 3210M HD4000 | 1 TB SSD | 16GB RAM | macOS Mojave / Windows 10

Link to post
Share on other sites
Posted · Original PosterOP
Just now, Drak3 said:

Having passwords stored on anything other than local machines is something you should never do

Despite the fact that storing those passwords locally.....caused this security vulnerability? 


Laptop: 2016 13" nTB MacBook Pro Core i5 | Phone: iPhone 6s Plus 64GB Wearables: Apple Watch Sport Series 2 CPU: R5 2600 | Mobo: ASRock B450M Pro4 | RAM: 8GB 2666 | GPU: Sapphire Nitro+ RX 580 4GB | Case: Apple PowerMac G5 | OS: Win 10 | Storage: 480GB PNY SSD & 2TB WD Green HDD | PSU: Corsair CX600M | Display: Dell UZ2215H 21.5" 1080p, ViewSonic VX2450wm-LED 23.6" 1080p, Samsung SyncMaster 940BX 19" 1024p | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G303 | Audio: Audio Technica ATH-M50X & Blue Snowball

 

Link to post
Share on other sites
Posted · Original PosterOP
Just now, firelighter487 said:

are the passwords for email accounts affected? you know the accounts for Apple Mail?

If those passwords are stored locally, yes they can be affected. Mind you this bug has not been deployed in any fashion as far as I know. 


Laptop: 2016 13" nTB MacBook Pro Core i5 | Phone: iPhone 6s Plus 64GB Wearables: Apple Watch Sport Series 2 CPU: R5 2600 | Mobo: ASRock B450M Pro4 | RAM: 8GB 2666 | GPU: Sapphire Nitro+ RX 580 4GB | Case: Apple PowerMac G5 | OS: Win 10 | Storage: 480GB PNY SSD & 2TB WD Green HDD | PSU: Corsair CX600M | Display: Dell UZ2215H 21.5" 1080p, ViewSonic VX2450wm-LED 23.6" 1080p, Samsung SyncMaster 940BX 19" 1024p | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G303 | Audio: Audio Technica ATH-M50X & Blue Snowball

 

Link to post
Share on other sites

Dang, The FaceTime bug and now this. A rough week for Apple. On a serious note, that’s kinda crazy how easy it is to exploit keychain. Image what the implications of this are if Apple doesn’t fix this quickly.


“Security is always excessive until it’s not enough.”

– Robbie Sinclair, Head of Security, NSW Australia 

 

“Have you tried turning it off and on again?” - Every Tech Rep Ever

 

If you need help with your build please tag me.

 

 

 

Main PC:

CPU: Ryzen 3 1300x RAM: 8gb ddr4 2666 MT/s Mobo: ASRock A320M HDD: 1tb WD GPU: Gtx 1050ti 4gb

 

Spoiler

P.s. if you can tell me what reference my location I will follow you. 

Bonus points if you can tell me the names of the people there. 

 

 

 

 

Link to post
Share on other sites

Don’t you just love this stuff....

 


“Security is always excessive until it’s not enough.”

– Robbie Sinclair, Head of Security, NSW Australia 

 

“Have you tried turning it off and on again?” - Every Tech Rep Ever

 

If you need help with your build please tag me.

 

 

 

Main PC:

CPU: Ryzen 3 1300x RAM: 8gb ddr4 2666 MT/s Mobo: ASRock A320M HDD: 1tb WD GPU: Gtx 1050ti 4gb

 

Spoiler

P.s. if you can tell me what reference my location I will follow you. 

Bonus points if you can tell me the names of the people there. 

 

 

 

 

Link to post
Share on other sites
Just now, DrMacintosh said:

If those passwords are stored locally, yes they can be affected. Mind you this bug has not been deployed in any fashion as far as I know. 

how do i figure out if they are? 

 

i'm just gonna delete those accounts from my Mac as soon as it's done updating. 


DISCLAIMER: ANYTHING I SAY COULD BE WRONG. DO YOUR OWN RESEARCH! 

PC: 2X XEON X5650 | GTX 690 | 2X 240GB SSD | 24GB RAM Windows 10

MacBook: I5 3210M HD4000 | 1 TB SSD | 16GB RAM | macOS Mojave / Windows 10

Link to post
Share on other sites
1 minute ago, DrMacintosh said:

Despite the fact that storing those passwords locally.....caused this security vulnerability? 

Storing anything online is a security vulnerability.

 

It's easier to stop an attack on your local machine than it is on someone else's, especially when you can only store files on their machine.


Seagull eat fish. But fish belong to Mafia. Mafia punch seagull for not respecting Mafia. Seagull say "No, please! I have child!"

Mafia punch seagull with child.

 

 

 

 

 

 

 

 

Pyo.

Link to post
Share on other sites
Posted · Original PosterOP
1 minute ago, I-r0k said:

Image what the implications of this are if Apple doesn’t fix this quickly.

The implications are relativity minor. The vast majority of macOS users would never save a password locally. If you have iCloud on (which you should), your passwords will be stored in iCloud and will not be vulnerable to this exploit.  


Laptop: 2016 13" nTB MacBook Pro Core i5 | Phone: iPhone 6s Plus 64GB Wearables: Apple Watch Sport Series 2 CPU: R5 2600 | Mobo: ASRock B450M Pro4 | RAM: 8GB 2666 | GPU: Sapphire Nitro+ RX 580 4GB | Case: Apple PowerMac G5 | OS: Win 10 | Storage: 480GB PNY SSD & 2TB WD Green HDD | PSU: Corsair CX600M | Display: Dell UZ2215H 21.5" 1080p, ViewSonic VX2450wm-LED 23.6" 1080p, Samsung SyncMaster 940BX 19" 1024p | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G303 | Audio: Audio Technica ATH-M50X & Blue Snowball

 

Link to post
Share on other sites

and for clarification, all of my login crap from safari isn't affected right? 


DISCLAIMER: ANYTHING I SAY COULD BE WRONG. DO YOUR OWN RESEARCH! 

PC: 2X XEON X5650 | GTX 690 | 2X 240GB SSD | 24GB RAM Windows 10

MacBook: I5 3210M HD4000 | 1 TB SSD | 16GB RAM | macOS Mojave / Windows 10

Link to post
Share on other sites
Posted · Original PosterOP
Just now, Drak3 said:

Storing anything online is a security vulnerability.

 

It's easier to stop an attack on your local machine than it is on someone else's, especially when you can only store files on their machine.

While true in principle, you must acknowledge that in this case, it didn't work like that. 


Laptop: 2016 13" nTB MacBook Pro Core i5 | Phone: iPhone 6s Plus 64GB Wearables: Apple Watch Sport Series 2 CPU: R5 2600 | Mobo: ASRock B450M Pro4 | RAM: 8GB 2666 | GPU: Sapphire Nitro+ RX 580 4GB | Case: Apple PowerMac G5 | OS: Win 10 | Storage: 480GB PNY SSD & 2TB WD Green HDD | PSU: Corsair CX600M | Display: Dell UZ2215H 21.5" 1080p, ViewSonic VX2450wm-LED 23.6" 1080p, Samsung SyncMaster 940BX 19" 1024p | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G303 | Audio: Audio Technica ATH-M50X & Blue Snowball

 

Link to post
Share on other sites
Posted · Original PosterOP
1 minute ago, firelighter487 said:

and for clarification, all of my login crap from safari isn't affected right?

If you have iCloud enabled and iCloud Keychain is turned on, you're more than likely fine. I think you have to manually add a password to Keychain.app for it to be saved locally. Any password management you do in Safari defaults to iCloud Keychain.  


Laptop: 2016 13" nTB MacBook Pro Core i5 | Phone: iPhone 6s Plus 64GB Wearables: Apple Watch Sport Series 2 CPU: R5 2600 | Mobo: ASRock B450M Pro4 | RAM: 8GB 2666 | GPU: Sapphire Nitro+ RX 580 4GB | Case: Apple PowerMac G5 | OS: Win 10 | Storage: 480GB PNY SSD & 2TB WD Green HDD | PSU: Corsair CX600M | Display: Dell UZ2215H 21.5" 1080p, ViewSonic VX2450wm-LED 23.6" 1080p, Samsung SyncMaster 940BX 19" 1024p | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G303 | Audio: Audio Technica ATH-M50X & Blue Snowball

 

Link to post
Share on other sites
3 minutes ago, DrMacintosh said:

If you have iCloud enabled and iCloud Keychain is turned on, you're more than likely fine. I think you have to manually add a password to Keychain.app for it to be saved locally. Any password management you do in Safari defaults to iCloud Keychain.  

they are in the icloud section in the keychain thing...


DISCLAIMER: ANYTHING I SAY COULD BE WRONG. DO YOUR OWN RESEARCH! 

PC: 2X XEON X5650 | GTX 690 | 2X 240GB SSD | 24GB RAM Windows 10

MacBook: I5 3210M HD4000 | 1 TB SSD | 16GB RAM | macOS Mojave / Windows 10

Link to post
Share on other sites
3 minutes ago, DrMacintosh said:

While true in principle, you must acknowledge that in this case, it didn't work like that. 

...only because of a bug in OSX.


"We also blind small animals with cosmetics.
We do not sell cosmetics. We just blind animals."

 

"Please don't mistake us for Equifax. Those fuckers are evil"

 

This PSA brought to you by Equifacks.
PMSL

Link to post
Share on other sites

@DrMacintosh i did notice a 'chrome safe storage' thing in the keychain app. stored locally... does that mean that they can unlock all my passwords in my google account?


DISCLAIMER: ANYTHING I SAY COULD BE WRONG. DO YOUR OWN RESEARCH! 

PC: 2X XEON X5650 | GTX 690 | 2X 240GB SSD | 24GB RAM Windows 10

MacBook: I5 3210M HD4000 | 1 TB SSD | 16GB RAM | macOS Mojave / Windows 10

Link to post
Share on other sites
4 minutes ago, DrMacintosh said:

While true in principle, you must acknowledge that in this case, it didn't work like that. 

No, it still works exactly like that. This is avoidable if you're remotely competent in computer security.


Seagull eat fish. But fish belong to Mafia. Mafia punch seagull for not respecting Mafia. Seagull say "No, please! I have child!"

Mafia punch seagull with child.

 

 

 

 

 

 

 

 

Pyo.

Link to post
Share on other sites
Posted · Original PosterOP
7 minutes ago, Drak3 said:

No, it still works exactly like that.

K


Laptop: 2016 13" nTB MacBook Pro Core i5 | Phone: iPhone 6s Plus 64GB Wearables: Apple Watch Sport Series 2 CPU: R5 2600 | Mobo: ASRock B450M Pro4 | RAM: 8GB 2666 | GPU: Sapphire Nitro+ RX 580 4GB | Case: Apple PowerMac G5 | OS: Win 10 | Storage: 480GB PNY SSD & 2TB WD Green HDD | PSU: Corsair CX600M | Display: Dell UZ2215H 21.5" 1080p, ViewSonic VX2450wm-LED 23.6" 1080p, Samsung SyncMaster 940BX 19" 1024p | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G303 | Audio: Audio Technica ATH-M50X & Blue Snowball

 

Link to post
Share on other sites
Posted · Original PosterOP
15 minutes ago, Dabombinable said:

...only because of a bug in OSX.

Yes


Laptop: 2016 13" nTB MacBook Pro Core i5 | Phone: iPhone 6s Plus 64GB Wearables: Apple Watch Sport Series 2 CPU: R5 2600 | Mobo: ASRock B450M Pro4 | RAM: 8GB 2666 | GPU: Sapphire Nitro+ RX 580 4GB | Case: Apple PowerMac G5 | OS: Win 10 | Storage: 480GB PNY SSD & 2TB WD Green HDD | PSU: Corsair CX600M | Display: Dell UZ2215H 21.5" 1080p, ViewSonic VX2450wm-LED 23.6" 1080p, Samsung SyncMaster 940BX 19" 1024p | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G303 | Audio: Audio Technica ATH-M50X & Blue Snowball

 

Link to post
Share on other sites
44 minutes ago, DrMacintosh said:

Yes

Meaning that its still inherently better to have passwords stored locally.


"We also blind small animals with cosmetics.
We do not sell cosmetics. We just blind animals."

 

"Please don't mistake us for Equifax. Those fuckers are evil"

 

This PSA brought to you by Equifacks.
PMSL

Link to post
Share on other sites

Good thing I use keepass even on macOS


One day I will be able to play Monster Hunter Frontier in French/Italian/English on my PC, it's just a matter of time... 4 5 6 7 8 9 years later: It's finally coming!!!

Phones: iPhone 4S/SE | LG V10 | Lumia 920

Laptops: Macbook Pro 15" (mid-2012) | Compaq Presario V6000

Link to post
Share on other sites
49 minutes ago, Dabombinable said:

Meaning that its still inherently better to have passwords stored locally.

Enpass...


There is more that meets the eye
I see the soul that is inside

Link to post
Share on other sites

Just go back to pen and paper and store your written passwords in a lock if you really want security. 

 

If you're storing your passwords in a service like LastPass (what I usually use), your trust is then onto whoever manages that service because there's always that risk that someone will attempt to breach or a bug that causes a major security hole. I treat these services as more of some sort of convenience as it does manage passwords, but you give up something for that. 

 

Storing your passwords locally is usually more secure, but if you really want secure, save them off the machine and onto something physical. 


Please tag me if you need assistance or if you want me to contribute to a topic 

 

ASUS RoG STRIX GL502VM

Intel Core i7 7700HQ | GeForce GTX 1060 6GB | 16GB DDR4-2133 | 128GB SanDisk M.2 SATA SSD + 1TB 7200RPM Hitachi HDD | 15.6" 1080p IPS monitor @ 60Hz w/ G-SYNC | Windows 10 64-bit

 

Samsung Galaxy Note8 SM-N950F

Exynos 8895 (4x Mongoose @ 2.3GHz, 4x Cortex A53 @ 1.7GHz)ARM Mali G71 MP20 | 6GB LPDDR4 | 64GB Samsung NAND flash w/ UFS 2.1 dual-lane controller + 128GB SanDisk C10 UHS-I microSD | 6.3" 1440p "Infinity Display" AMOLED | Android Nougat 7.1.1 w/ Samsung Experience 8.5

Link to post
Share on other sites

 

6 hours ago, D13H4RD said:

save them off the machine and onto something physical. 

Preferably not a sticky note taped to the device.


PSU Tier List | CoC

Gaming Build | FreeNAS Server

Spoiler

i5-4690k || Seidon 240m || GTX780 ACX || MSI Z97s SLI Plus || 8GB 2400mhz || 250GB 840 Evo || 1TB WD Blue || H440 (Black/Blue) || Windows 10 Pro || Dell P2414H & BenQ XL2411Z || Ducky Shine Mini || Logitech G502 Proteus Core

Spoiler

FreeNAS 9.3 - Stable || Xeon E3 1230v2 || Supermicro X9SCM-F || 32GB Crucial ECC DDR3 || 3x4TB WD Red (JBOD) || SYBA SI-PEX40064 sata controller || Corsair CX500m || NZXT Source 210.

Link to post
Share on other sites
21 hours ago, DrMacintosh said:

Despite the fact that storing those passwords locally.....caused this security vulnerability? 

First they most get that app onto the PC in question. So if the user is not a moron it is way more safe than any lame cloud thingy...

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×