Apple Keychain ‘completely cracked’ by security researchers, but are you vulnerable?

BurnIconXResearchers at the Georgia Institute of Technology have revealed findings that show Apple’s Keychain password service is vulnerable to malware that can steal passwords from other apps on the system and gain access to services and devices that you use with your Mac.

The Keychain stores passwords in an encrypted format, so while direct access to them is exceptionally difficult, OS X supports services that allow apps to authenticate and then have access to the passwords. Even though the Keychain is supposed to only allow access to services by approved applications (ie, those listed when you open a keychain entry and look at its Access Control tab), the fault here is that applications with keychain access can delete and re-create these keychain entries, and in doing so redirect apps to store passwords in a shared entry that the malicious app can access.

As a result, if a keychain denies access to an app by this access control list, then the app will have to ask for authentication in order to read any information from this keychain entry. However, nothing stops an app from creating a new empty keychain entry for itself for a specific online service. Then by setting up the app for access by another legitimate app on the system, such as a Web browser, when the browser is used to access this service, saving your password will use the new malicious keychain entry.

From this point on, the malicious program will have full access to the login credentials and the online service the protect.

In a video demonstration of this issue, researchers show a custom sandboxed app initially without access, creating a special keychain entry and then duplicating an access entry for Google’s Chrome browser into the keychain (all which can apparently be done without authentication). From here, logging into Facebook saves the password, and allows the sandboxed app access to it.

Unfortunately there does not appear to be a workaround for this issue at the moment, and developers for some apps like Google Chrome are removing support for Apple’s keychain to prevent exploits from occurring; however, overall the best way to avoid this and other exploits is to simply avoid apps from unknown developers, even if you have downloaded them through the App Store and other reputable locations.

The only way for this vulnerability to be exploited is if you have a malicious app running locally on your system, so research all apps you use, and only use official apps for the online services you use. In addition, consider avoiding using keychains for highly important online services, including online banking and medical records.

Via: The Register

13 thoughts on “Apple Keychain ‘completely cracked’ by security researchers, but are you vulnerable?

  1. Roger Pelizzari

    Topher, how does one avoid using keychains for highly important online services?
    How do you turn them off?

    1. Ira Lansing

      When using Safari the first time you enter a login and password for a site, you are asked if you want Safari/Keychain to remember the info. Just say “no”.

  2. B. Jefferson Le Blanc

    It’s a poor time to suggest Last Pass as they were just hacked in the last few days.

    It’s a matter of opinion, of course, but because 1Password runs locally and not on a web server in the cloud, it is less vulnerable to hacking. It may or may not be more convenient or easy to use than Last Pass. YMMV.

    Of course we can hope Apple finds a way to secure the Keychain against this hack, but given the way it works and what it does, it’s hard to see how it can be done.

    As for unknown developers, most people know nothing or next to nothing about app developers. If apps in the App Store are not trustworthy, the whole ecosystem breaks down. Avoiding unknown developers means never trying a new app. If more than a few people followed this advice it would kill the App Store and ruin every developer on it.

    It’s more likely a so-called approved developer from outside the App Store would exploit this hack. It’s been done before. Such developers are harder to police. If you want to avoid the risk here, set your security to Allow apps downloaded from the Mac App Store only in the General tab of the Security & Privacy preference pane. Thereafter you will be asked to authorize every non-App Store app you use. This can be a nuisance, but it will oblige you to pay attention to what you’re doing and should help you avoid using a suspicious app. This is not a foolproof method, of course, because it depends on the judgment of individual users. And all of us have been fooled at one time or another, even the most careful and paranoid among us.

    If you’ve been letting Safari record your passwords, saying No going forward is like shutting the barn door after the cows have gone. You can clear all those passwords, or select specific ones to delete (say, the most sensitive) in Safari’s preferences, in the Password tab. If you clear them all, then you can start from scratch saying No when Safari prompts you to record your passwords. If this becomes a nuisance, as it almost certainly will, you can uncheck Autofill user names and passwords to kill the prompt. You can also edit your keychain (in the Keychain Access app in the Utilities folder) to delete sensitive items. This will mean having to enter your admin password more often, so only you can decide if it’s worth the trouble.

    Given how convenient autofill is in Safari and the keychain is in general, I suspect few people will use these drastic measures and forego that convenience. Most of us will see the risk of encountering this exploit as very low and choose to chance it. After all, it’s only one of a legion of risks out there that we run every time we use the Internet. Still, it’s good to know how to armor plate your system if you want to.

    1. lkrupp215

      Wow, a level headed response. Much better than running around with your hair on fire screaming at the top of your lungs that the Apocalypse is near.

  3. darkdreamer4u

    Passwords for banks, SS acct., etc., simply don’t belong in the Keychain. I’ve never trusted Keychain to be secure enough, so I’ve always politely declined to store such passwords in a browser or the Keychain. It may have been a bit of a bother to have to remember those passwords, but hey, doing so also keeps your gray cells young;-)

    1. Me In LA

      Exactly. For things that would ruin my life, I have a text file stored on a Disk Image that is encrypted with a nice, long pass-phrase. The rest I could care lesser about, so 1Password has been great. Nothing is perfect, but this works well for me.


  4. hydrovacing

    Not yet but Apple had better GTST and start doing some rethink on their Cloud system as well as Gatekeeper. They are starting wander down the same path as Microsoft is still wandering down since the ill fated launch of Windows 95.

    1. alvarnell

      GateKeeper has been tweaked a bit with most every OS since it was introduced, but obviously still has some glaring issues. I think there are some easy fixes to make it more robust today (and probably force a few developers to properly sign their apps) but clearly something more than a hardened GateKeeper is going to be required to put this to bed.

  5. Rick Auricchio

    I think using the term “completely cracked” by the researchers is somewhat irresponsible. What they claim is the ability for a program to create a counterfeit keychain item. The term “completely cracked” implies the ability to access every existing item in the keychain file, which they are not doing.

    Time to hose down their hyperbole…sure, it gets headlines, but we don’t need scare tactics.

  6. alvarnell

    Apple has provided iMore with the following comment on the XARA exploits:

    “Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store,” an Apple spokesperson told iMore. “We have additional fixes in progress and are working with the researchers to investigate the claims in their paper.”

  7. Chris Hart, Independent Apple Support Consultant

    One way to protect yourself is to lock the keychain when you’re not needing it. You can do this by opening Keychain Access (utilities folder) and locking the large padlock in the upper left corner of the window.

    Unlocking the keychain is accomplished by clicking the lock and entering your Mac user account password. (Most people don’t know this, but you can increase your Mac security by assigning your keychain a different password than your user account.) If you end up locking/unlocking this regularly, you can enable the keychain access menu item in the menu bar and quickly access the lock/unlock functions (this is in Keychain Access preferences).

    If you use Safari, locking the keychain will unfortunately cause incessant requests to unlock the keychain as you browse. (Which I feel is an idiotic design aspect of Safari.) While Safari is a great browser in many respects, it’s definitely not the best browser for the Mac. I feel that Firefox is still a great alternative but Chrome is my hands down favorite browser. It’s faster than Safari and handles multiple tabs better.

    I have never been comfortable with keeping my highly sensitive passwords in the Mac keychain and have always recommend against it, to my clients. Since it’s unlocked the entire time you’re using your computer (at least for most people), it’s a security loophole.

    This is why I love and recommend 1Password. It’s an encrypted password island unto itself, which you have complete control over. Using 1P is always my first “best security practices” recommendation. 1P is not without flaws and there are certainly other password managers out there. But I don’t think any others have the combination of giving you complete control along with a lot of flexibility and features (while also providing for mobility, and syncing with other devices, if you chose to enable that).

    The criticism that “Last Pass was just hacked” is not entirely accurate or fair. The ‘hack’ of their systems only garnered email addresses, password *hints* and basic customer information. Customer passwords were not compromised. I have recommended Last Pass to my customers who didn’t want to purchase 1Password and I will continue to do so.

Comments are closed.