Researchers at the Georgia Institute of Technology have revealed findings that show Apple’s Keychain password service is vulnerable to malware that can steal passwords from other apps on the system and gain access to services and devices that you use with your Mac.
The Keychain stores passwords in an encrypted format, so while direct access to them is exceptionally difficult, OS X supports services that allow apps to authenticate and then have access to the passwords. Even though the Keychain is supposed to only allow access to services by approved applications (ie, those listed when you open a keychain entry and look at its Access Control tab), the fault here is that applications with keychain access can delete and re-create these keychain entries, and in doing so redirect apps to store passwords in a shared entry that the malicious app can access.
From this point on, the malicious program will have full access to the login credentials and the online service the protect.
In a video demonstration of this issue, researchers show a custom sandboxed app initially without access, creating a special keychain entry and then duplicating an access entry for Google’s Chrome browser into the keychain (all which can apparently be done without authentication). From here, logging into Facebook saves the password, and allows the sandboxed app access to it.
Unfortunately there does not appear to be a workaround for this issue at the moment, and developers for some apps like Google Chrome are removing support for Apple’s keychain to prevent exploits from occurring; however, overall the best way to avoid this and other exploits is to simply avoid apps from unknown developers, even if you have downloaded them through the App Store and other reputable locations.
The only way for this vulnerability to be exploited is if you have a malicious app running locally on your system, so research all apps you use, and only use official apps for the online services you use. In addition, consider avoiding using keychains for highly important online services, including online banking and medical records.
Via: The Register