Jump to content

Researcher demos new macOS Keychain exploit, holds data from Apple

DrMacintosh

A security researcher has revealed a new exploit in Keychain.app (a password and credential managment software introduced in macOS 9) but is opting to keep the details of this exploit hidden from Apple. 

Quote

A demo app, "KeySteal," is able to extract login and System passwords from Keychain without any administrator privileges, and regardless of whether System Integrity Protection or Access Control Lists are configured, according to Linuz Henze. Items in the iCloud Keychain are immune, Henze told Heise.

The bad news is that macOS has a security exploit, the good news is that it only effects local passwords. This means that all but those who chose to manually disable iCloud (something you should never do for a multitude of reasons), are not affected by this supposed threat. I say "supposed threat" because there is no demoed replicability and there was no demo of the application getting any new passwords, leaving the possibility of this being fake. 

 

This exploit has not been deployed as far as I know. 

 

The analyst claims to be withholding details of the exploit from Apple, citing that the Bug Bounty Program does not include macOS exploits (which in my opinion it should).

Quote

Henze's protest stems from the fact that the company's bug bounty program only covers iOS, not macOS. Independent researchers can be dependent on such payouts.
 

When Apple developed iCloud in iOS 5, they included Keychain functionality. Since iOS 5, users of the Apple ecosystem have not needed a password manager and as iOS continued to mature, its auto-fill features made iCloud Keychain more and more convenient. This means that the vast majority of users only have password data stored in iCloud and their information is perfectly safe. 

 

Source: http://appleinsider.com/articles/19/02/06/researcher-demos-new-macos-keychain-exploit-holds-data-from-apple-in-protest

Laptop: 2019 16" MacBook Pro i7, 512GB, 5300M 4GB, 16GB DDR4 | Phone: iPhone 13 Pro Max 128GB | Wearables: Apple Watch SE | Car: 2007 Ford Taurus SE | CPU: R7 5700X | Mobo: ASRock B450M Pro4 | RAM: 32GB 3200 | GPU: ASRock RX 5700 8GB | Case: Apple PowerMac G5 | OS: Win 11 | Storage: 1TB Crucial P3 NVME SSD, 1TB PNY CS900, & 4TB WD Blue HDD | PSU: Be Quiet! Pure Power 11 600W | Display: LG 27GL83A-B 1440p @ 144Hz, Dell S2719DGF 1440p @144Hz | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G305 | Audio: Audio Technica ATH-M50X & Blue Snowball | Server: 2018 Core i3 Mac mini, 128GB SSD, Intel UHD 630, 16GB DDR4 | Storage: OWC Mercury Elite Pro Quad (6TB WD Blue HDD, 12TB Seagate Barracuda, 1TB Crucial SSD, 2TB Seagate Barracuda HDD)
Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, DrMacintosh said:

manually disable iCloud (something you should never do)

Having passwords stored on anything other than local machines is something you should never do.

Come Bloody Angel

Break off your chains

And look what I've found in the dirt.

 

Pale battered body

Seems she was struggling

Something is wrong with this world.

 

Fierce Bloody Angel

The blood is on your hands

Why did you come to this world?

 

Everybody turns to dust.

 

Everybody turns to dust.

 

The blood is on your hands.

 

The blood is on your hands!

 

Pyo.

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, Drak3 said:

Having passwords stored on anything other than local machines is something you should never do

Despite the fact that storing those passwords locally.....caused this security vulnerability? 

Laptop: 2019 16" MacBook Pro i7, 512GB, 5300M 4GB, 16GB DDR4 | Phone: iPhone 13 Pro Max 128GB | Wearables: Apple Watch SE | Car: 2007 Ford Taurus SE | CPU: R7 5700X | Mobo: ASRock B450M Pro4 | RAM: 32GB 3200 | GPU: ASRock RX 5700 8GB | Case: Apple PowerMac G5 | OS: Win 11 | Storage: 1TB Crucial P3 NVME SSD, 1TB PNY CS900, & 4TB WD Blue HDD | PSU: Be Quiet! Pure Power 11 600W | Display: LG 27GL83A-B 1440p @ 144Hz, Dell S2719DGF 1440p @144Hz | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G305 | Audio: Audio Technica ATH-M50X & Blue Snowball | Server: 2018 Core i3 Mac mini, 128GB SSD, Intel UHD 630, 16GB DDR4 | Storage: OWC Mercury Elite Pro Quad (6TB WD Blue HDD, 12TB Seagate Barracuda, 1TB Crucial SSD, 2TB Seagate Barracuda HDD)
Link to comment
Share on other sites

Link to post
Share on other sites

Just now, firelighter487 said:

are the passwords for email accounts affected? you know the accounts for Apple Mail?

If those passwords are stored locally, yes they can be affected. Mind you this bug has not been deployed in any fashion as far as I know. 

Laptop: 2019 16" MacBook Pro i7, 512GB, 5300M 4GB, 16GB DDR4 | Phone: iPhone 13 Pro Max 128GB | Wearables: Apple Watch SE | Car: 2007 Ford Taurus SE | CPU: R7 5700X | Mobo: ASRock B450M Pro4 | RAM: 32GB 3200 | GPU: ASRock RX 5700 8GB | Case: Apple PowerMac G5 | OS: Win 11 | Storage: 1TB Crucial P3 NVME SSD, 1TB PNY CS900, & 4TB WD Blue HDD | PSU: Be Quiet! Pure Power 11 600W | Display: LG 27GL83A-B 1440p @ 144Hz, Dell S2719DGF 1440p @144Hz | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G305 | Audio: Audio Technica ATH-M50X & Blue Snowball | Server: 2018 Core i3 Mac mini, 128GB SSD, Intel UHD 630, 16GB DDR4 | Storage: OWC Mercury Elite Pro Quad (6TB WD Blue HDD, 12TB Seagate Barracuda, 1TB Crucial SSD, 2TB Seagate Barracuda HDD)
Link to comment
Share on other sites

Link to post
Share on other sites

Dang, The FaceTime bug and now this. A rough week for Apple. On a serious note, that’s kinda crazy how easy it is to exploit keychain. Image what the implications of this are if Apple doesn’t fix this quickly.

“Security is always excessive until it’s not enough.”

– Robbie Sinclair, Head of Security, NSW Australia 

 

“Have you tried turning it off and on again?” - Every Tech Rep Ever

 

If you need help with your build please tag me.

 

 

 

Main PC:

CPU: Ryzen 3 1300x RAM: 8gb ddr4 2666 MT/s Mobo: ASRock A320M HDD: 1tb WD GPU: Gtx 1050ti 4gb

 

Spoiler

P.s. if you can tell me what reference my location I will follow you. 

Bonus points if you can tell me the names of the people there. 

 

 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Don’t you just love this stuff....

 

“Security is always excessive until it’s not enough.”

– Robbie Sinclair, Head of Security, NSW Australia 

 

“Have you tried turning it off and on again?” - Every Tech Rep Ever

 

If you need help with your build please tag me.

 

 

 

Main PC:

CPU: Ryzen 3 1300x RAM: 8gb ddr4 2666 MT/s Mobo: ASRock A320M HDD: 1tb WD GPU: Gtx 1050ti 4gb

 

Spoiler

P.s. if you can tell me what reference my location I will follow you. 

Bonus points if you can tell me the names of the people there. 

 

 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, DrMacintosh said:

If those passwords are stored locally, yes they can be affected. Mind you this bug has not been deployed in any fashion as far as I know. 

how do i figure out if they are? 

 

i'm just gonna delete those accounts from my Mac as soon as it's done updating. 

She/Her

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, DrMacintosh said:

Despite the fact that storing those passwords locally.....caused this security vulnerability? 

Storing anything online is a security vulnerability.

 

It's easier to stop an attack on your local machine than it is on someone else's, especially when you can only store files on their machine.

Come Bloody Angel

Break off your chains

And look what I've found in the dirt.

 

Pale battered body

Seems she was struggling

Something is wrong with this world.

 

Fierce Bloody Angel

The blood is on your hands

Why did you come to this world?

 

Everybody turns to dust.

 

Everybody turns to dust.

 

The blood is on your hands.

 

The blood is on your hands!

 

Pyo.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, I-r0k said:

Image what the implications of this are if Apple doesn’t fix this quickly.

The implications are relativity minor. The vast majority of macOS users would never save a password locally. If you have iCloud on (which you should), your passwords will be stored in iCloud and will not be vulnerable to this exploit.  

Laptop: 2019 16" MacBook Pro i7, 512GB, 5300M 4GB, 16GB DDR4 | Phone: iPhone 13 Pro Max 128GB | Wearables: Apple Watch SE | Car: 2007 Ford Taurus SE | CPU: R7 5700X | Mobo: ASRock B450M Pro4 | RAM: 32GB 3200 | GPU: ASRock RX 5700 8GB | Case: Apple PowerMac G5 | OS: Win 11 | Storage: 1TB Crucial P3 NVME SSD, 1TB PNY CS900, & 4TB WD Blue HDD | PSU: Be Quiet! Pure Power 11 600W | Display: LG 27GL83A-B 1440p @ 144Hz, Dell S2719DGF 1440p @144Hz | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G305 | Audio: Audio Technica ATH-M50X & Blue Snowball | Server: 2018 Core i3 Mac mini, 128GB SSD, Intel UHD 630, 16GB DDR4 | Storage: OWC Mercury Elite Pro Quad (6TB WD Blue HDD, 12TB Seagate Barracuda, 1TB Crucial SSD, 2TB Seagate Barracuda HDD)
Link to comment
Share on other sites

Link to post
Share on other sites

Just now, Drak3 said:

Storing anything online is a security vulnerability.

 

It's easier to stop an attack on your local machine than it is on someone else's, especially when you can only store files on their machine.

While true in principle, you must acknowledge that in this case, it didn't work like that. 

Laptop: 2019 16" MacBook Pro i7, 512GB, 5300M 4GB, 16GB DDR4 | Phone: iPhone 13 Pro Max 128GB | Wearables: Apple Watch SE | Car: 2007 Ford Taurus SE | CPU: R7 5700X | Mobo: ASRock B450M Pro4 | RAM: 32GB 3200 | GPU: ASRock RX 5700 8GB | Case: Apple PowerMac G5 | OS: Win 11 | Storage: 1TB Crucial P3 NVME SSD, 1TB PNY CS900, & 4TB WD Blue HDD | PSU: Be Quiet! Pure Power 11 600W | Display: LG 27GL83A-B 1440p @ 144Hz, Dell S2719DGF 1440p @144Hz | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G305 | Audio: Audio Technica ATH-M50X & Blue Snowball | Server: 2018 Core i3 Mac mini, 128GB SSD, Intel UHD 630, 16GB DDR4 | Storage: OWC Mercury Elite Pro Quad (6TB WD Blue HDD, 12TB Seagate Barracuda, 1TB Crucial SSD, 2TB Seagate Barracuda HDD)
Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, firelighter487 said:

and for clarification, all of my login crap from safari isn't affected right?

If you have iCloud enabled and iCloud Keychain is turned on, you're more than likely fine. I think you have to manually add a password to Keychain.app for it to be saved locally. Any password management you do in Safari defaults to iCloud Keychain.  

Laptop: 2019 16" MacBook Pro i7, 512GB, 5300M 4GB, 16GB DDR4 | Phone: iPhone 13 Pro Max 128GB | Wearables: Apple Watch SE | Car: 2007 Ford Taurus SE | CPU: R7 5700X | Mobo: ASRock B450M Pro4 | RAM: 32GB 3200 | GPU: ASRock RX 5700 8GB | Case: Apple PowerMac G5 | OS: Win 11 | Storage: 1TB Crucial P3 NVME SSD, 1TB PNY CS900, & 4TB WD Blue HDD | PSU: Be Quiet! Pure Power 11 600W | Display: LG 27GL83A-B 1440p @ 144Hz, Dell S2719DGF 1440p @144Hz | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G305 | Audio: Audio Technica ATH-M50X & Blue Snowball | Server: 2018 Core i3 Mac mini, 128GB SSD, Intel UHD 630, 16GB DDR4 | Storage: OWC Mercury Elite Pro Quad (6TB WD Blue HDD, 12TB Seagate Barracuda, 1TB Crucial SSD, 2TB Seagate Barracuda HDD)
Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, DrMacintosh said:

If you have iCloud enabled and iCloud Keychain is turned on, you're more than likely fine. I think you have to manually add a password to Keychain.app for it to be saved locally. Any password management you do in Safari defaults to iCloud Keychain.  

they are in the icloud section in the keychain thing...

She/Her

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, DrMacintosh said:

While true in principle, you must acknowledge that in this case, it didn't work like that. 

...only because of a bug in OSX.

"We also blind small animals with cosmetics.
We do not sell cosmetics. We just blind animals."

 

"Please don't mistake us for Equifax. Those fuckers are evil"

 

This PSA brought to you by Equifacks.
PMSL

Link to comment
Share on other sites

Link to post
Share on other sites

@DrMacintosh i did notice a 'chrome safe storage' thing in the keychain app. stored locally... does that mean that they can unlock all my passwords in my google account?

She/Her

Link to comment
Share on other sites

Link to post
Share on other sites

4 minutes ago, DrMacintosh said:

While true in principle, you must acknowledge that in this case, it didn't work like that. 

No, it still works exactly like that. This is avoidable if you're remotely competent in computer security.

Come Bloody Angel

Break off your chains

And look what I've found in the dirt.

 

Pale battered body

Seems she was struggling

Something is wrong with this world.

 

Fierce Bloody Angel

The blood is on your hands

Why did you come to this world?

 

Everybody turns to dust.

 

Everybody turns to dust.

 

The blood is on your hands.

 

The blood is on your hands!

 

Pyo.

Link to comment
Share on other sites

Link to post
Share on other sites

7 minutes ago, Drak3 said:

No, it still works exactly like that.

K

Laptop: 2019 16" MacBook Pro i7, 512GB, 5300M 4GB, 16GB DDR4 | Phone: iPhone 13 Pro Max 128GB | Wearables: Apple Watch SE | Car: 2007 Ford Taurus SE | CPU: R7 5700X | Mobo: ASRock B450M Pro4 | RAM: 32GB 3200 | GPU: ASRock RX 5700 8GB | Case: Apple PowerMac G5 | OS: Win 11 | Storage: 1TB Crucial P3 NVME SSD, 1TB PNY CS900, & 4TB WD Blue HDD | PSU: Be Quiet! Pure Power 11 600W | Display: LG 27GL83A-B 1440p @ 144Hz, Dell S2719DGF 1440p @144Hz | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G305 | Audio: Audio Technica ATH-M50X & Blue Snowball | Server: 2018 Core i3 Mac mini, 128GB SSD, Intel UHD 630, 16GB DDR4 | Storage: OWC Mercury Elite Pro Quad (6TB WD Blue HDD, 12TB Seagate Barracuda, 1TB Crucial SSD, 2TB Seagate Barracuda HDD)
Link to comment
Share on other sites

Link to post
Share on other sites

15 minutes ago, Dabombinable said:

...only because of a bug in OSX.

Yes

Laptop: 2019 16" MacBook Pro i7, 512GB, 5300M 4GB, 16GB DDR4 | Phone: iPhone 13 Pro Max 128GB | Wearables: Apple Watch SE | Car: 2007 Ford Taurus SE | CPU: R7 5700X | Mobo: ASRock B450M Pro4 | RAM: 32GB 3200 | GPU: ASRock RX 5700 8GB | Case: Apple PowerMac G5 | OS: Win 11 | Storage: 1TB Crucial P3 NVME SSD, 1TB PNY CS900, & 4TB WD Blue HDD | PSU: Be Quiet! Pure Power 11 600W | Display: LG 27GL83A-B 1440p @ 144Hz, Dell S2719DGF 1440p @144Hz | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G305 | Audio: Audio Technica ATH-M50X & Blue Snowball | Server: 2018 Core i3 Mac mini, 128GB SSD, Intel UHD 630, 16GB DDR4 | Storage: OWC Mercury Elite Pro Quad (6TB WD Blue HDD, 12TB Seagate Barracuda, 1TB Crucial SSD, 2TB Seagate Barracuda HDD)
Link to comment
Share on other sites

Link to post
Share on other sites

44 minutes ago, DrMacintosh said:

Yes

Meaning that its still inherently better to have passwords stored locally.

"We also blind small animals with cosmetics.
We do not sell cosmetics. We just blind animals."

 

"Please don't mistake us for Equifax. Those fuckers are evil"

 

This PSA brought to you by Equifacks.
PMSL

Link to comment
Share on other sites

Link to post
Share on other sites

Good thing I use keepass even on macOS

One day I will be able to play Monster Hunter Frontier in French/Italian/English on my PC, it's just a matter of time... 4 5 6 7 8 9 years later: It's finally coming!!!

Phones: iPhone 4S/SE | LG V10 | Lumia 920

Laptops: Macbook Pro 15" (mid-2012) | Compaq Presario V6000

 

<>EVs are bad, they kill the planet and remove freedoms too some/<>

Link to comment
Share on other sites

Link to post
Share on other sites

49 minutes ago, Dabombinable said:

Meaning that its still inherently better to have passwords stored locally.

Enpass...

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Just go back to pen and paper and store your written passwords in a lock if you really want security. 

 

If you're storing your passwords in a service like LastPass (what I usually use), your trust is then onto whoever manages that service because there's always that risk that someone will attempt to breach or a bug that causes a major security hole. I treat these services as more of some sort of convenience as it does manage passwords, but you give up something for that. 

 

Storing your passwords locally is usually more secure, but if you really want secure, save them off the machine and onto something physical. 

The Workhorse (AMD-powered custom desktop)

CPU: AMD Ryzen 7 3700X | GPU: MSI X Trio GeForce RTX 2070S | RAM: XPG Spectrix D60G 32GB DDR4-3200 | Storage: 512GB XPG SX8200P + 2TB 7200RPM Seagate Barracuda Compute | OS: Microsoft Windows 10 Pro

 

The Portable Workstation (Apple MacBook Pro 16" 2021)

SoC: Apple M1 Max (8+2 core CPU w/ 32-core GPU) | RAM: 32GB unified LPDDR5 | Storage: 1TB PCIe Gen4 SSD | OS: macOS Monterey

 

The Communicator (Apple iPhone 13 Pro)

SoC: Apple A15 Bionic | RAM: 6GB LPDDR4X | Storage: 128GB internal w/ NVMe controller | Display: 6.1" 2532x1170 "Super Retina XDR" OLED with VRR at up to 120Hz | OS: iOS 15.1

Link to comment
Share on other sites

Link to post
Share on other sites

 

6 hours ago, D13H4RD said:

save them off the machine and onto something physical. 

Preferably not a sticky note taped to the device.

PSU Tier List | CoC

Gaming Build | FreeNAS Server

Spoiler

i5-4690k || Seidon 240m || GTX780 ACX || MSI Z97s SLI Plus || 8GB 2400mhz || 250GB 840 Evo || 1TB WD Blue || H440 (Black/Blue) || Windows 10 Pro || Dell P2414H & BenQ XL2411Z || Ducky Shine Mini || Logitech G502 Proteus Core

Spoiler

FreeNAS 9.3 - Stable || Xeon E3 1230v2 || Supermicro X9SCM-F || 32GB Crucial ECC DDR3 || 3x4TB WD Red (JBOD) || SYBA SI-PEX40064 sata controller || Corsair CX500m || NZXT Source 210.

Link to comment
Share on other sites

Link to post
Share on other sites

21 hours ago, DrMacintosh said:

Despite the fact that storing those passwords locally.....caused this security vulnerability? 

First they most get that app onto the PC in question. So if the user is not a moron it is way more safe than any lame cloud thingy...

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×