
Security Flaw in OS X displays all keychain passwords in plain text - nstj
https://medium.com/@brentonhenry/security-flaw-in-os-x-displays-all-keychain-passwords-in-plain-text-a530b246e960
======
timdierks
If your passwords are going to be available to user mode processes without a
privileged interactive password prompt, they're going to be available. This is
how it's designed and is necessary for the current user experience (that apps
you are running have access to your key chain secrets for unlocked key
chains).

Crippling tools to make it look like the passwords are hidden or further
secured is just security theater.

~~~
elsurudo
No, there is an easy fix. Make the "SecurityAgent" process "special" and non-
scriptable. Kind of how when Windows is requesting a permission, the whole
screen is otherwise grayed out with an overlay. It should run in some sort of
permission mode where only direct, physical user input is taken into account
(unless the user has previously selected "always allow" for this application).

------
superuser2
Wait till this guy discovers the filesystem. "Security Flaw in OS X displays
all files in the home directory in plain text."

I mean, it _is_ pretty bad, when you think about it, compared to "freedom-
hating" "user-hostile" sandboxed designs like iOS, but "all your data is
available to all your programs unless you explicitly hobble a specific
program" is pretty central to *nix.

------
SlashmanX
Seems unusual to me that those security dialogs are 'scriptable'.

