Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Extremely Critical" OS X Keychain Vulnerability Steals Passwords Via SMS

Posted by samzenpus on from the long-standing-bug dept.

Mark Wilson writes: Two security researchers have discovered a serious vulnerability in OS X that could allow an attacker to steal passwords and other credentials in an almost invisible way. Antoine Vincent Jebara and Raja Rahbani — two of the team behind the myki identity management security software — found that a series of terminal commands can be used to extract a range of stored credentials. What is particularly worrying about the vulnerability is that it requires virtually no interaction from the victim; simulated mouse clicks can be used to click on hidden buttons to grant permission to access the keychain. Apple has been informed of the issue, but a fix is yet to be issued. The attack, known as brokenchain, is disturbingly easy to execute. Ars reports that this weakness has been exploited for four years.

8 of 123 comments (clear)

  1. Do you even computer? by wbr1 · · Score: 4, Informative

    SMS? This is an apple script exploit on a mac PC. not a mobile device. Nowhere does the article explain that SMS is an attack vector and unless iOS is vulnerable as well,I do not see how it could be.

    --
    Silence is a state of mime.
    1. Re:Do you even computer? by bobthesungeek76036 · · Score: 2, Informative
      Yea I was having a hard time making the SMS connection. TFA speculates that SMS "could" be used to transmit the hijacked passwords:

      It is then possible to intercept a user's password and send it to the attacker via SMS or any other means

      pretty far stretch if you ask me...

      --
      Karma: Bad
  2. Vulnerability not really extremely critical .. by nickweller · · Score: 5, Informative

    "as long as a user had already allowed the app running the script to control the Mac .. the technique works only when invoked by an application already installed on their systems. There is no evidence the technique can be carried out through drive-by exploits or attacks that don't require social engineering and end-user interaction." ref.

  3. Re: Wait for it... by Anonymous Coward · · Score: 2, Informative

    It is only 9 lines of code: http://arstechnica.com/security/2015/09/attacks-accessing-mac-keychain-without-permission-date-back-to-2011/

    Then the app has all the accounts and passwords stored in your keychain.

  4. Re:Wait for it... by Anonymous Coward · · Score: 5, Informative

    Couple of comments :

    - it is a security feature. Apple only approves Apps if they go through the App Store - if they are merely signed by a developer, Apple has no involvement in approval, but there is a credit card identity verification strength chain back to the developer via the signing certificate, and the certificate can be revoked centrally. Thats changing the attack surface, and workable lifetime for the exploit, so it is reasonably to call it a security configuration feature.

    - OS X keychain and iOS keychain are different. In OS X, there are multiple keychains, and the level of access depends on configuration. Indeed there is no practical limit to the number of keychains in play. A standard user does not have access to the system keychain. Indeed your keychain doesn't need to be on the boot volume - paranoid OS X users put their keychain on an encrypted USB drive, and need to mount and unlock it , in addition to logging into the computer (so any credential on the drive is subject to 2FA to access)

    The actual "exploit" is _bordering_ on the old school "look at all the horrible things you can do if you have root access" exploits as though root access itself is the exploit.

    The attack does not work on the default configuration of the OS. In addition, it wouldn't work on a typical hardened configuration.

    If you run as an administrator, disable code signing, and explicitly enable the script, then yes it works, but those 3 things turn it from a 100 is percent of the installed base problem, into a much smaller problem.

    The

  5. Re:Wait for it... by sribe · · Score: 4, Informative

    So all the user has to do is have zero understanding of the computer, click allow on everything with out thinking, and ignore stuff that is obviously weird and broken? Sounds like this will work against 30% of the population. Add in that it gets you free porn and you got 10% more.

    No. For an app from an unidentified developer, there is no "Allow" option presented. You have to know how to bypass that security setting in order to get the app to run, which is the whole point--the kind of users who blindly click "Allow" to everything are unlikely to know how to do that, and so won't be able to run this kind of app.

  6. Re:Wait for it... by Tough+Love · · Score: 2, Informative

    Apologist? It's a bug. Real one. Even some gurus are going to get stung by this one.

    And you greatly overstate the difficulty of joe dumbass user googling to find out how to allow non-apple apps.

    Apologist.

    --
    When all you have is a hammer, every problem starts to look like a thumb.
  7. Re: Wait for it... by Plumpaquatsch · · Score: 4, Informative

    It is only 9 lines of code: http://arstechnica.com/securit...

    Then the app has all the accounts and passwords stored in your keychain.

    Yes. If you give that script access first. IOW no, not really. If you instead block it, you have to enable it before it can even ask again.

    --
    Of course news about a fake are Fake News.