Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security Flaw in OS X?

Watabou

Watabou

macrumors 68040
Original poster
Feb 10, 2008
3,425
755
United States
I was just reading HackerNews and came across a startling discovery.

If a person somehow managed to get access to your computer they can use the security command in the Terminal to get access to ALL your login usernames and passwords.

You can read more about this here: https://news.ycombinator.com/item?id=4518873

The actual command, if you'd like to see how easy it actually is for the system to just spew your passwords in the Terminal, is the one given below. Just copy and paste into the terminal and hit enter. Notice how you don't even have to type sudo in front (which means it doesn't require your password at all before it runs):

Code: 
security dump-keychain -d ~/Library/Keychains/login.keychain

You can press Control-C in the Terminal to manually quit the dumping process.

The only dialog that shows up is the allow or deny option and if you click allow, the password gets dumped into the Terminal.

The only way to prevent this is to actually click on the Lock icon in the Keychain app or set up the autolocking feature of the app by following these steps:

Open "Keychain Access". Right click on "login" and select the "change settings for Keychain login" item. Check the box next to "lock after x minutes of inactivity". I set it up for 15 minutes. The only downside to that is, you have to enter your password every time the system asks to access the login keychain which is tedious if you have a big password like I do.

I don't really understand if this is a security flaw or not for now. From what people have said, it may be a conscious decision of Apple to unlock the login keychain so that the user does not have to type their password in every time the system asks. What do you guys think?
 
M

mrapplegate

macrumors 68030
Feb 26, 2011
2,818
8
Cincinnati, OH
Watabou said:
I was just reading HackerNews and came across a startling discovery.

If a person somehow managed to get access to your computer they can use the security command in the Terminal to get access to ALL your login usernames and passwords.

You can read more about this here: https://news.ycombinator.com/item?id=4518873

The actual command, if you'd like to see how easy it actually is for the system to just spew your passwords in the Terminal, is the one given below. Just copy and paste into the terminal and hit enter. Notice how you don't even have to type sudo in front (which means it doesn't require your password at all before it runs):

Code: 
security dump-keychain -d ~/Library/Keychains/login.keychain

You can press Control-C in the Terminal to manually quit the dumping process.

The only dialog that shows up is the allow or deny option and if you click allow, the password gets dumped into the Terminal.

The only way to prevent this is to actually click on the Lock icon in the Keychain app or set up the autolocking feature of the app by following these steps:

Open "Keychain Access". Right click on "login" and select the "change settings for Keychain login" item. Check the box next to "lock after x minutes of inactivity". I set it up for 15 minutes. The only downside to that is, you have to enter your password every time the system asks to access the login keychain which is tedious if you have a big password like I do.

I don't really understand if this is a security flaw or not for now. From what people have said, it may be a conscious decision of Apple to unlock the login keychain so that the user does not have to type their password in every time the system asks. What do you guys think?
Click to expand...

The saying is something like this:
If they have physical access to your computer, there is no security.

If you are worried do as the article says, and lock your keychain.
 
I

iVoid

macrumors 65816
Jan 9, 2007
1,145
190
Wow, this is not good.

At least in the keychain access app, it requires you to type in the keychain password before displaying the passwords (locked or not).

Now I don't put any sensitive passwords in my keychain, so this isn't the end of the world for me, but I do think Apple needs to fix this so you'd have to enter the keychain password before allowing this sort of dump.

While it is true of someone has physical access to your logged in computer without a screensaver lock, you shouldn't expect any security you should still not expect that someone can dump all your stored password so easily.
 
throAU

throAU

macrumors G3
Feb 13, 2012
8,827
6,987
Perth, Western Australia
This is how a keychain app works (and is intended to work)? If you are authenticated (i.e., logged in and keychain unlocked) you are assumed to be trusted, and the keychain app will give you your keys.

It isn't a mac specific security issue: if someone can log into your account, anything stored under that account is fair game. Including documents, browser history, browser cookies, etc.

If you don't want your usernames/passwords potentially exposed, your options are: filevault + secure login credentials + don't leave your machine unlocked.


This is no different to having someone open your web browser and getting access to the sites you have selected to remain logged in to.

What WOULD be a security issue is if I could log in as user A and dump user B's keychain - without sudo/admin access.
 
Last edited:
Starfox

Starfox

macrumors 6502
Apr 7, 2011
256
9
Watabou said:
If a person somehow managed to get access to your computer they can use the security command in the Terminal to get access to ALL your login usernames and passwords.
Click to expand...

And if a person somehow managed to get access to your house they can steal your TV!!!!!11111one
 
2

2square

macrumors member
Jul 20, 2011
31
0
why not just use a login pass / sleep/wake pass to prevent them from getting to the terminal in the first place?
 
munkery

munkery

macrumors 68020
Dec 18, 2006
2,217
1
Watabou said:
The only dialog that shows up is the allow or deny option and if you click allow, the password gets dumped into the Terminal.
Click to expand...

A local user still has to authenticate the action.

A separate keychain isn't needed to protect these keychain entries.

If you want password authentication to be required for any specific keychain entry, then open that specific keychain entry, select the "Access Control" tab, and enable "Ask for Keychain password".

Screen Shot 2012-09-27 at 11.29.41 AM.png
 
Alameda

Alameda

macrumors 6502a
Jun 22, 2012
927
546
The link you provided didn't work, but... Are you just saying that if someone logs in to your Mac, they can access your keychain? Isn't that obvious? Isn't that the point of having user accounts?
 
W

waynep

macrumors 6502
Dec 31, 2009
434
0
Computer security also includes physical security. If they have physical access then you are compromised.
 
munkery

munkery

macrumors 68020
Dec 18, 2006
2,217
1
SlCKB0Y said:
Am I missing something? I ran that command and I did not get any plain-text passwords output to terminal.
Click to expand...

Did you choose accept at the prompts for each separate keychain entry?

I read somewhere that it only gives you hashes not the passwords in plain text. Although, the info didn't come from any official documentation.
 
dcorban

dcorban

macrumors 6502a
Oct 29, 2007
914
30
Watabou said:
I was just reading HackerNews and came across a startling discovery.

If a person somehow managed to get access to your computer…
Click to expand...
You rendered your own post pointless by the second sentence. :slowclap:
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom