Slashdot Mirror


"Extremely Critical" OS X Keychain Vulnerability Steals Passwords Via SMS

Mark Wilson writes: Two security researchers have discovered a serious vulnerability in OS X that could allow an attacker to steal passwords and other credentials in an almost invisible way. Antoine Vincent Jebara and Raja Rahbani — two of the team behind the myki identity management security software — found that a series of terminal commands can be used to extract a range of stored credentials. What is particularly worrying about the vulnerability is that it requires virtually no interaction from the victim; simulated mouse clicks can be used to click on hidden buttons to grant permission to access the keychain. Apple has been informed of the issue, but a fix is yet to be issued. The attack, known as brokenchain, is disturbingly easy to execute. Ars reports that this weakness has been exploited for four years.

1 of 123 comments (clear)

  1. That's why I use Windows 10 by Anonymous Coward · · Score: 3, Funny

    No one is going to get my passwords. They've all been safely keylogged onto Microsoft's ultrasecure telemetry cloud!