Security Flaw in OS X?

Discussion in 'OS X Mountain Lion (10.8)' started by Watabou, Sep 13, 2012.

  1. macrumors 68040


    Feb 10, 2008
    United States
    I was just reading HackerNews and came across a startling discovery.

    If a person somehow managed to get access to your computer they can use the security command in the Terminal to get access to ALL your login usernames and passwords.

    You can read more about this here:

    The actual command, if you'd like to see how easy it actually is for the system to just spew your passwords in the Terminal, is the one given below. Just copy and paste into the terminal and hit enter. Notice how you don't even have to type sudo in front (which means it doesn't require your password at all before it runs):

    security dump-keychain -d ~/Library/Keychains/login.keychain
    You can press Control-C in the Terminal to manually quit the dumping process.

    The only dialog that shows up is the allow or deny option and if you click allow, the password gets dumped into the Terminal.

    The only way to prevent this is to actually click on the Lock icon in the Keychain app or set up the autolocking feature of the app by following these steps:

    Open "Keychain Access". Right click on "login" and select the "change settings for Keychain login" item. Check the box next to "lock after x minutes of inactivity". I set it up for 15 minutes. The only downside to that is, you have to enter your password every time the system asks to access the login keychain which is tedious if you have a big password like I do.

    I don't really understand if this is a security flaw or not for now. From what people have said, it may be a conscious decision of Apple to unlock the login keychain so that the user does not have to type their password in every time the system asks. What do you guys think?
  2. macrumors 68030

    Feb 26, 2011
    Cincinnati, OH
    The saying is something like this:
    If they have physical access to your computer, there is no security.

    If you are worried do as the article says, and lock your keychain.
  3. macrumors 65816

    Jan 9, 2007
    Wow, this is not good.

    At least in the keychain access app, it requires you to type in the keychain password before displaying the passwords (locked or not).

    Now I don't put any sensitive passwords in my keychain, so this isn't the end of the world for me, but I do think Apple needs to fix this so you'd have to enter the keychain password before allowing this sort of dump.

    While it is true of someone has physical access to your logged in computer without a screensaver lock, you shouldn't expect any security you should still not expect that someone can dump all your stored password so easily.
  4. throAU, Sep 13, 2012
    Last edited: Sep 13, 2012

    macrumors 68040

    Feb 13, 2012
    Perth, Western Australia
    This is how a keychain app works (and is intended to work)? If you are authenticated (i.e., logged in and keychain unlocked) you are assumed to be trusted, and the keychain app will give you your keys.

    It isn't a mac specific security issue: if someone can log into your account, anything stored under that account is fair game. Including documents, browser history, browser cookies, etc.

    If you don't want your usernames/passwords potentially exposed, your options are: filevault + secure login credentials + don't leave your machine unlocked.

    This is no different to having someone open your web browser and getting access to the sites you have selected to remain logged in to.

    What WOULD be a security issue is if I could log in as user A and dump user B's keychain - without sudo/admin access.
  5. macrumors regular

    Apr 7, 2011
    And if a person somehow managed to get access to your house they can steal your TV!!!!!11111one
  6. macrumors member

    Jul 20, 2011
    why not just use a login pass / sleep/wake pass to prevent them from getting to the terminal in the first place?
  7. macrumors 6502

    Jul 15, 2012
    Czech Republic
    You can set different passwords for user and user's keychain ;)
  8. macrumors 68020


    Dec 18, 2006
    A local user still has to authenticate the action.

    A separate keychain isn't needed to protect these keychain entries.

    If you want password authentication to be required for any specific keychain entry, then open that specific keychain entry, select the "Access Control" tab, and enable "Ask for Keychain password".

    Screen Shot 2012-09-27 at 11.29.41 AM.png
  9. macrumors 68020


    May 30, 2010
  10. macrumors newbie

    Sep 24, 2012
    Spey Valley
    You work in GCHQ and I claim my £5 :D


  11. macrumors 6502


    Jun 22, 2012
    The link you provided didn't work, but... Are you just saying that if someone logs in to your Mac, they can access your keychain? Isn't that obvious? Isn't that the point of having user accounts?
  12. macrumors 6502

    Dec 31, 2009
    Computer security also includes physical security. If they have physical access then you are compromised.
  13. macrumors 6502


    Jun 22, 2012
    That's what FileVault is for.
  14. macrumors 68040


    Feb 25, 2012
    Sydney, Australia
    Am I missing something? I ran that command and I did not get any plain-text passwords output to terminal.
  15. macrumors 68020


    Dec 18, 2006
    Did you choose accept at the prompts for each separate keychain entry?

    I read somewhere that it only gives you hashes not the passwords in plain text. Although, the info didn't come from any official documentation.
  16. macrumors 68040


    Feb 25, 2012
    Sydney, Australia
    I was getting hashes which is pretty much useless...
  17. macrumors 6502a


    Oct 29, 2007
    You rendered your own post pointless by the second sentence. :slowclap:

Share This Page