Researcher demos new macOS Keychain exploit, holds data from Apple

[DrMacintosh]

A security researcher has revealed a new exploit in Keychain.app (a password and credential managment software introduced in macOS 9) but is opting to keep the details of this exploit hidden from Apple. 

Quote

A demo app, "KeySteal," is able to extract login and System passwords from Keychain without any administrator privileges, and regardless of whether System Integrity Protection or Access Control Lists are configured, according to Linuz Henze. Items in the iCloud Keychain are immune, Henze told Heise.

The bad news is that macOS has a security exploit, the good news is that it only effects local passwords. This means that all but those who chose to manually disable iCloud (something you should never do for a multitude of reasons), are not affected by this supposed threat. I say "supposed threat" because there is no demoed replicability and there was no demo of the application getting any new passwords, leaving the possibility of this being fake. 

 

This exploit has not been deployed as far as I know. 

 

The analyst claims to be withholding details of the exploit from Apple, citing that the Bug Bounty Program does not include macOS exploits (which in my opinion it should).

Quote

Henze's protest stems from the fact that the company's bug bounty program only covers iOS, not macOS. Independent researchers can be dependent on such payouts.
 

When Apple developed iCloud in iOS 5, they included Keychain functionality. Since iOS 5, users of the Apple ecosystem have not needed a password manager and as iOS continued to mature, its auto-fill features made iCloud Keychain more and more convenient. This means that the vast majority of users only have password data stored in iCloud and their information is perfectly safe. 

 

Source: http://appleinsider.com/articles/19/02/06/researcher-demos-new-macos-keychain-exploit-holds-data-from-apple-in-protest

[Drak3]

2 minutes ago, DrMacintosh said:

manually disable iCloud (something you should never do)

Having passwords stored on anything other than local machines is something you should never do.

[firelighter487]

are the passwords for email accounts affected? you know the accounts for Apple Mail?

[DrMacintosh]

Just now, Drak3 said:

Having passwords stored on anything other than local machines is something you should never do

Despite the fact that storing those passwords locally.....caused this security vulnerability? 

[DrMacintosh]

Just now, firelighter487 said:

are the passwords for email accounts affected? you know the accounts for Apple Mail?

If those passwords are stored locally, yes they can be affected. Mind you this bug has not been deployed in any fashion as far as I know. 

[I-r0k]

Dang, The FaceTime bug and now this. A rough week for Apple. On a serious note, that’s kinda crazy how easy it is to exploit keychain. Image what the implications of this are if Apple doesn’t fix this quickly.

[I-r0k]

Don’t you just love this stuff....

 

[firelighter487]

Just now, DrMacintosh said:

If those passwords are stored locally, yes they can be affected. Mind you this bug has not been deployed in any fashion as far as I know. 

how do i figure out if they are? 

 

i'm just gonna delete those accounts from my Mac as soon as it's done updating. 

[Drak3]

1 minute ago, DrMacintosh said:

Despite the fact that storing those passwords locally.....caused this security vulnerability? 

Storing anything online is a security vulnerability.

 

It's easier to stop an attack on your local machine than it is on someone else's, especially when you can only store files on their machine.

[DrMacintosh]

1 minute ago, I-r0k said:

Image what the implications of this are if Apple doesn’t fix this quickly.

The implications are relativity minor. The vast majority of macOS users would never save a password locally. If you have iCloud on (which you should), your passwords will be stored in iCloud and will not be vulnerable to this exploit.  

[firelighter487]

and for clarification, all of my login crap from safari isn't affected right? 

[DrMacintosh]

Just now, Drak3 said:

Storing anything online is a security vulnerability.

 

It's easier to stop an attack on your local machine than it is on someone else's, especially when you can only store files on their machine.

While true in principle, you must acknowledge that in this case, it didn't work like that. 

[DrMacintosh]

1 minute ago, firelighter487 said:

and for clarification, all of my login crap from safari isn't affected right?

If you have iCloud enabled and iCloud Keychain is turned on, you're more than likely fine. I think you have to manually add a password to Keychain.app for it to be saved locally. Any password management you do in Safari defaults to iCloud Keychain.  

[firelighter487]

3 minutes ago, DrMacintosh said:

If you have iCloud enabled and iCloud Keychain is turned on, you're more than likely fine. I think you have to manually add a password to Keychain.app for it to be saved locally. Any password management you do in Safari defaults to iCloud Keychain.  

they are in the icloud section in the keychain thing...

[Dabombinable]

3 minutes ago, DrMacintosh said:

While true in principle, you must acknowledge that in this case, it didn't work like that. 

...only because of a bug in OSX.

[firelighter487]

@DrMacintosh i did notice a 'chrome safe storage' thing in the keychain app. stored locally... does that mean that they can unlock all my passwords in my google account?

[Drak3]

4 minutes ago, DrMacintosh said:

While true in principle, you must acknowledge that in this case, it didn't work like that. 

No, it still works exactly like that. This is avoidable if you're remotely competent in computer security.

[DrMacintosh]

7 minutes ago, Drak3 said:

No, it still works exactly like that.

K

[DrMacintosh]

15 minutes ago, Dabombinable said:

...only because of a bug in OSX.

Yes

[Dabombinable]

44 minutes ago, DrMacintosh said:

Yes

Meaning that its still inherently better to have passwords stored locally.

[suicidalfranco]

Good thing I use keepass even on macOS

[captain_to_fire]

49 minutes ago, Dabombinable said:

Meaning that its still inherently better to have passwords stored locally.

Enpass...

[D13H4RD]

Just go back to pen and paper and store your written passwords in a lock if you really want security. 

 

If you're storing your passwords in a service like LastPass (what I usually use), your trust is then onto whoever manages that service because there's always that risk that someone will attempt to breach or a bug that causes a major security hole. I treat these services as more of some sort of convenience as it does manage passwords, but you give up something for that. 

 

Storing your passwords locally is usually more secure, but if you really want secure, save them off the machine and onto something physical. 

[79wjd]

 

6 hours ago, D13H4RD said:

save them off the machine and onto something physical. 

Preferably not a sticky note taped to the device.

[jagdtigger]

21 hours ago, DrMacintosh said:

Despite the fact that storing those passwords locally.....caused this security vulnerability? 

First they most get that app onto the PC in question. So if the user is not a moron it is way more safe than any lame cloud thingy...