PDA

View Full Version : Security Flaw in OS X?




Watabou
Sep 13, 2012, 06:13 PM
I was just reading HackerNews and came across a startling discovery.

If a person somehow managed to get access to your computer they can use the security command in the Terminal to get access to ALL your login usernames and passwords.

You can read more about this here: https://news.ycombinator.com/item?id=4518873

The actual command, if you'd like to see how easy it actually is for the system to just spew your passwords in the Terminal, is the one given below. Just copy and paste into the terminal and hit enter. Notice how you don't even have to type sudo in front (which means it doesn't require your password at all before it runs):

security dump-keychain -d ~/Library/Keychains/login.keychain

You can press Control-C in the Terminal to manually quit the dumping process.

The only dialog that shows up is the allow or deny option and if you click allow, the password gets dumped into the Terminal.

The only way to prevent this is to actually click on the Lock icon in the Keychain app or set up the autolocking feature of the app by following these steps:

Open "Keychain Access". Right click on "login" and select the "change settings for Keychain login" item. Check the box next to "lock after x minutes of inactivity". I set it up for 15 minutes. The only downside to that is, you have to enter your password every time the system asks to access the login keychain which is tedious if you have a big password like I do.

I don't really understand if this is a security flaw or not for now. From what people have said, it may be a conscious decision of Apple to unlock the login keychain so that the user does not have to type their password in every time the system asks. What do you guys think?



mrapplegate
Sep 13, 2012, 06:29 PM
I was just reading HackerNews and came across a startling discovery.

If a person somehow managed to get access to your computer they can use the security command in the Terminal to get access to ALL your login usernames and passwords.

You can read more about this here: https://news.ycombinator.com/item?id=4518873

The actual command, if you'd like to see how easy it actually is for the system to just spew your passwords in the Terminal, is the one given below. Just copy and paste into the terminal and hit enter. Notice how you don't even have to type sudo in front (which means it doesn't require your password at all before it runs):

security dump-keychain -d ~/Library/Keychains/login.keychain

You can press Control-C in the Terminal to manually quit the dumping process.

The only dialog that shows up is the allow or deny option and if you click allow, the password gets dumped into the Terminal.

The only way to prevent this is to actually click on the Lock icon in the Keychain app or set up the autolocking feature of the app by following these steps:

Open "Keychain Access". Right click on "login" and select the "change settings for Keychain login" item. Check the box next to "lock after x minutes of inactivity". I set it up for 15 minutes. The only downside to that is, you have to enter your password every time the system asks to access the login keychain which is tedious if you have a big password like I do.

I don't really understand if this is a security flaw or not for now. From what people have said, it may be a conscious decision of Apple to unlock the login keychain so that the user does not have to type their password in every time the system asks. What do you guys think?

The saying is something like this:
If they have physical access to your computer, there is no security.

If you are worried do as the article says, and lock your keychain.

iVoid
Sep 13, 2012, 10:34 PM
Wow, this is not good.

At least in the keychain access app, it requires you to type in the keychain password before displaying the passwords (locked or not).

Now I don't put any sensitive passwords in my keychain, so this isn't the end of the world for me, but I do think Apple needs to fix this so you'd have to enter the keychain password before allowing this sort of dump.

While it is true of someone has physical access to your logged in computer without a screensaver lock, you shouldn't expect any security you should still not expect that someone can dump all your stored password so easily.

throAU
Sep 13, 2012, 11:10 PM
This is how a keychain app works (and is intended to work)? If you are authenticated (i.e., logged in and keychain unlocked) you are assumed to be trusted, and the keychain app will give you your keys.

It isn't a mac specific security issue: if someone can log into your account, anything stored under that account is fair game. Including documents, browser history, browser cookies, etc.

If you don't want your usernames/passwords potentially exposed, your options are: filevault + secure login credentials + don't leave your machine unlocked.


This is no different to having someone open your web browser and getting access to the sites you have selected to remain logged in to.

What WOULD be a security issue is if I could log in as user A and dump user B's keychain - without sudo/admin access.

Starfox
Sep 13, 2012, 11:23 PM
If a person somehow managed to get access to your computer they can use the security command in the Terminal to get access to ALL your login usernames and passwords.

And if a person somehow managed to get access to your house they can steal your TV!!!!!11111one

2square
Sep 14, 2012, 04:49 AM
why not just use a login pass / sleep/wake pass to prevent them from getting to the terminal in the first place?

meme1255
Sep 14, 2012, 01:01 PM
You can set different passwords for user and user's keychain ;)

munkery
Sep 27, 2012, 01:41 PM
The only dialog that shows up is the allow or deny option and if you click allow, the password gets dumped into the Terminal.

A local user still has to authenticate the action.

A separate keychain isn't needed to protect these keychain entries.

If you want password authentication to be required for any specific keychain entry, then open that specific keychain entry, select the "Access Control" tab, and enable "Ask for Keychain password".

364092

R94N
Sep 29, 2012, 10:05 AM
I wouldn't use Keychain anyway.

whiskymac
Sep 29, 2012, 12:43 PM
I wouldn't use Keychain anyway.

You work in GCHQ and I claim my £5 :D

Mac

:apple:iMac:apple:iPad:apple:iPhone

Alameda
Sep 29, 2012, 07:30 PM
The link you provided didn't work, but... Are you just saying that if someone logs in to your Mac, they can access your keychain? Isn't that obvious? Isn't that the point of having user accounts?

waynep
Sep 29, 2012, 08:26 PM
Computer security also includes physical security. If they have physical access then you are compromised.

Alameda
Sep 30, 2012, 11:22 AM
Computer security also includes physical security. If they have physical access then you are compromised.That's what FileVault is for.

SlCKB0Y
Oct 1, 2012, 08:03 AM
Am I missing something? I ran that command and I did not get any plain-text passwords output to terminal.

munkery
Oct 1, 2012, 12:23 PM
Am I missing something? I ran that command and I did not get any plain-text passwords output to terminal.

Did you choose accept at the prompts for each separate keychain entry?

I read somewhere that it only gives you hashes not the passwords in plain text. Although, the info didn't come from any official documentation.

SlCKB0Y
Oct 2, 2012, 07:00 AM
I read somewhere that it only gives you hashes not the passwords in plain text. Although, the info didn't come from any official documentation.

I was getting hashes which is pretty much useless...

dcorban
Oct 2, 2012, 07:35 AM
I was just reading HackerNews and came across a startling discovery.

If a person somehow managed to get access to your computer…
You rendered your own post pointless by the second sentence. :slowclap: