
Security Flaw in OS X displays all keychain passwords in plain text - walterbell
https://medium.com/@brentonhenry/security-flaw-in-os-x-displays-all-keychain-passwords-in-plain-text-a530b246e960#.utgmk4k24
======
cocotino
This is bogus.

If you execute "security dump-keychain -d login.keychain":

1\. If the keychain is unlocked (the keychain is unlocked by default after
logging in, and you can check that by opening the Keychain Access app) a
SecurityAgent window opens, and you must click the Allow button to dump the
keychain. That cannot be scripted in an installation of a recent version of OS
X which is not misconfigured.

2\. If the keychain is locked (for example, by clicking the padlock in the
Keychain Access app to lock it), it asks you for your user password, just like
the Keychain Access app does.

~~~
merpnderp
I just replicated this and it is true for 10.11.5

~~~
Karunamon
Replicated it succeeding, or failing? It isn't possible to script the security
window; the scripting system can't even see it.

[http://prntscr.com/bqepwk](http://prntscr.com/bqepwk)

------
jmiserez
That only allows exporting the passwords of the currently logged-in user.

If you let someone untrusted (!) log in remotely to your computer with your
user account or you give it to someone while your user is logged in it's your
own fault if your keys get stolen. You should use a guest account with
restricted privileges or a separate machine.

It's not much different on Linux, if you use Gnome-Keyring (used by default in
Ubuntu and others) you can also get the passwords easily, in plain text [1].

Not sure about Windows, but you can most likely get to the passwords without
installing anything as well if you're already logged in as the current user.
If you're allowed to run executables, there are quite a few already [2].

[1] [https://blog.schmichael.com/2008/10/30/listing-all-
passwords...](https://blog.schmichael.com/2008/10/30/listing-all-passwords-
stored-in-gnome-keyring/)

[2]
[http://www.nirsoft.net/password_recovery_tools.html](http://www.nirsoft.net/password_recovery_tools.html)

~~~
gilgoomesh
Simply being logged in is not sufficient.

The only way this should be possible on the Mac is if a logged in user
physically at the computer selects "Allow" or "Always allow" for each security
dialog that appears. Remote sessions are _not_ permitted to do this.

Security dialogs cannot be scripted under normal circumstances (the
AppleScript given in the article simply doesn't work). I suspect it might be
possible to do highly dangerous things like blessing the "System Events" tool
as an Accessibility tool in the Security System Prefs Pane (which would allow
it to send events to security dialogs) but I'm not totally sure that's
possible and in any case, I don't think that's happening here. I think the
author is simply mistaken or has clicked "Always allow" in the past and
doesn't realize that this setting is still active.

~~~
brenton07
I was actually the author of this article, and am about to update it to
address some of the criticisms. We have two machines locked down to only
certain functions, down to only certain IP addresses even being allowed to
communicate with the machines, and still managed to execute this - it did
prompt Allow/Deny windows, but I find that intellectually different than a
lack of password prompt.

I have dug through security preferences extensively and can't see what setting
could be changed or updated to disallow this function.

I've updated the article to address and respond to some of the criticisms and
feedback.

------
cocotino

            tell process "SecurityAgent"
                click button "Allow" of group 1 of window 1
    

I'm pretty certain this is not possible in any recent version of OS X.

~~~
throwaway2016a
Same for me: "System Events got an error: Can’t get window 1 of process
"SecurityAgent". Invalid index."

------
wille92
As others have alluded to, this is the "Login" keychain--a keychain of
usernames and passwords that are unlocked upon a user's login. This is by
design, not a security flaw.

~~~
merpnderp
When I tested, I saw banking creds in the ask list. If I want those creds from
keychain I have to type my master password. But for some reason if I want all
the passwords using this method I just have to click 'Always Allow'. Jacked
up.

------
gwbas1c
Newsflash: If you let someone into your house, they can steal anything in your
home.

------
zZorgz
So there's gonna be arguments both ways whether or not this console command
should ask for a password or not since the user is already logged in.

The main concern I have is the inconsistency that this command does not
request a password while the keychain access app, as far as I know, does
request one.

Apple has been aware about their security behavior here at any rate.

------
ajani
Just tried this on my mac. And yes, It did output something. But the passwords
aren't in plain text. It outputs, what looks like at first glance, encrypted
passwords.

Maybe there is an easy way to decrypt them using some other information in the
output, but I haven't looked further.

~~~
csydas
Snippet from the man page for security:

[https://developer.apple.com/legacy/library/documentation/Dar...](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)

>dump-keychain [-adhir] Dump the contents of one or more keychains.

    
    
                -a              Dump access control list of items
                -d              Dump (decrypted) data of items
                -i              Interactive access control list editing mode
                -r              Dump raw (encrypted) data of items
    
    

I'm not at my Mac so can't test what it means by "dump decrypted", but I don't
think it dumps all data in plain-text as the article suggested. I am curious
if the keychain was unlocked when they did it for whatever reason.

I still question _why_ such an ability exists through terminal without more
control, but it's not quite as described.

edit: was very unclear I was posting a snippet of the actual command. fixed

~~~
coldcode
dump-keychain: command not found

~~~
coldcode
[http://apple.stackexchange.com/questions/184897/how-to-
dump-...](http://apple.stackexchange.com/questions/184897/how-to-dump-the-
content-of-keychain-from-the-shell) This is nothing new apparently

------
Angostura
This is actually really useful - thank you. I have been looking for an easy
way to search for re-use of compromised passwords.

~~~
brenton07
Ha, I had the same response.

------
merpnderp
What I don't understand is if I want to access a particular password from
keychain I have to enter my master password. But if I let someone use my
machine for a few moments all they have to do is hit "Always Allow" and they
can have all my passwords? That is jacked up, Apple.

------
okket
"working as intended"

------
NexusGS
I tried with locked keychain and it requires to enter your password (still
something but not everything). This is something that Apple needs to address
soon I think.

~~~
ralfd
> still something but not everything

Instead of what? What do you propose would be better?

------
herbst
Exactly why i don't trust my mac with my passwords.

~~~
crummy
how do you login

~~~
herbst
It's a huge difference to use system specific passwords on that specific
system or to trust a properitary buggy system with passwords to other,
potentially critical, services and infrastructure.

Which IMO is purely negligently

~~~
pilif
Whenever you click any "Save my password" option offered by any application on
any OS, that password will need to be stored in some reversible encryption
somehwere - there is just no way around it.

And unless you want to type in a password every time you need to access any of
these stored passwords (which would nearly defeat the purpose), then the
application or OS needs to keep that password and/or key in memory somewhere.

At that point, I would trust an application that runs with privileges that not
even root can get (thanks to 10.11's rootless mode) much more than any other
application, even given the eventual security flaw.

This severely reduces the attack surface to only the keychain application
itself and to the component that enforces the privileges, whereas in other
cases _any_ root-exploit will cause you to lose your passwords.

In the year of 10.11's existence, no security flaw has been found in either
system integrity protection (= rootless mode) nor in keychain (the bug listed
here isn't a bug. if you ask keychain to give you the password, it will have
to give you the password or there would be zero point in even storing it in
the first place)

~~~
herbst
i dont even know which version i run, so no idea if i have to be scared or
not. updates are way to painful to do regulary on a working dev machine. (lazy
linux user here)

anyway i never saved a password, thats exactly my point. There is not a single
reason to believe that the apple keychain can be fully trusted, its that
simple.

~~~
jrochkind1
> There is not a single reason to believe that the apple keychain can be fully
> trusted, its that simple.

How do you believe that differs from any other cloud manager, local or cloud-
hosted? What reason(s) do you have to believe they can be fully trusted? Or do
you not use password managers at all? I assume you don't re-use passwords from
site to site (because there's also no single reason to believe any particular
site you log into can be fully trusted with a password you've used accross
sites), I assume you use secure passwords (because you clearly prioritize
security)... how do you remember them all?

~~~
herbst
I dont use any of these but use the gnome keyring at home. Its OS, based on
industrie standards and afaik never had serious issues. (It sure helps that
linux has more restrictive user rights)

On other places i use a password sheme, and if possible 2fa. A sheme is not
perfect ether, but would require to attacker to fetch multiple of my passwords
until he can recreate it.

~~~
jrochkind1
What's a password sheme?

~~~
herbst
Essentially something like this:

Base Passwort: 123456, Rules: a = A, e = #, Platform: Hacker News, Connector:
Social _, Money -

Password: HAck#rN#ws_123456

~~~
jrochkind1
Oh, you mean to spell "scheme" I think?

Is there reason to believe that's significantly more secure than just re-using
the same (strong) password everywhere?

Personally, I'd feel safer with a unique strong password for every site, even
though it effectively requires a password manager (and trusting that password
manager). So far, i think most attacks don't usually involve your local
computer, people aren't attacking your laptop trying to crack your password
manager (I think? Any known attacks of such? I guess I'd assume the NSA
probably _is_, but anyway, regardless, I'd rather have unique strong
passwords).

~~~
herbst
yeah :) not my native language. thanks for the correction.

I am on my phone and lazy so excuse missing sources. But afaik a lot of
malware targets password managers. Dont forget that some of these also are
really really bad and easy targets. some bigger ones may be good, but still
tend to fail from time to time.

a unique password for every site is defintly better, but not if these
passwords are saved anywhere.

My sheme, which only exists in my head, imo provides therefore more safety.

honestly i am just paranoid, but the way some users use password managers
scares me.

~~~
jrochkind1
Yeah, passwords are all a mess no matter what, just choice of lesser evils.

"Scheme". It's pronounced like "skeem", not "sheem".

