keychaindump - new hacking tool

Discussion in 'Mac Apps and Mac App Store' started by munkery, Sep 8, 2012.

  1. munkery, Sep 8, 2012
    Last edited: Sep 8, 2012

    munkery macrumors 68020


    Dec 18, 2006
    This new tool scans the memory of the securityd process from RAM to reveal unlocked keychain data. The tool requires password authentication to install.

    In comparison, many tools are available that can reveal browser, messaging, and other app password from Windows without password authentication. Protected storage is much less secure in Windows.

    This article includes the typical sophistry of equating an admin account in OS X with root. It also implies that privilege escalation is easy in OS X but somewhat makes it clear that even if this is true that it is due to social engineering. It uses the fact that many apps are owned by system to show how social engineering is probable in OS X but fails to clarify that more apps are now owned by system since the introduction of the Mac App Store.

    The MAS being the source of more system owned apps negates the argument for increased risk of privilege escalation due to social engineering. Apps being owned by system if the source of the installation is secure actually has security benefits because system owned apps require elevated privileges to modify.

    The data of locked keychains is not compromised by this tool even with root access. Albeit, this is dependent on locked keychains remaining locked while keychaindump is in use.

    See #2 in the link below for more details on creating more secure keychain entries.

    Mac Security Suggestions
  2. keysofanxiety macrumors G3


    Nov 23, 2011
    "Mac OS X Hackers With Root Access"

    As it is, we don't even have Root Access when we log in as an administrator, right? So I'm not too sure how that would be able to work remotely?

    If I'm misunderstanding, though, please educate me :eek:
  3. munkery thread starter macrumors 68020


    Dec 18, 2006
    Root access can also be achieved by a process if the process is installed with elevated privileges so that it runs as root. Whether or not a process runs as root can be shown by Activity Monitor.

    When you are prompted for password authentication to install an app most often it is because the app requires installing components in protected areas of the OS. The apps still run with user privileges.

    But, sometimes apps that are installed with password authentication require those elevated privileges to be able to run as root.

    This is why knowing how to safely use password authentication is important.

Share This Page