
Decrypt all authorization tokens on macOS without user authentication - apas
https://github.com/manwhoami/MMeTokenDecrypt
======
AdamJacobMuller
Very cool project and definitely a cool find.

Interestingly though, I do get a security dialog when this happens. There is
an "always allow" option there, so perhaps I just never clicked that in the
past.

------
yladiz
Although I think the claim is a little misleading as I was presented a
security dialog box when I ran the command in the script -- "security find-
generic-password -ws 'iCloud' | awk {'print $1'}" \-- I do think that the idea
of "always allowing" access to some important part of your security is a
broken model. They should at most allow for a short period of time in which
the access is granted, after which the access is revoked, kind of like sudo.
When I was presented with "Always Allow", "Deny" and "Allow" as my options, I
can easily see how this could happen to someone who just clicks "Always Allow"
because in their head they think, "Not this shit again, go away."

------
grzm
Is this zero-day? Was any of this submitted to Apple prior to release on
github?

~~~
zephharben
Yes, the author indicates he filed a report with Apple about one month ago,
and hasn't received a response:
[https://twitter.com/bufferovernoah/status/795275327962484737](https://twitter.com/bufferovernoah/status/795275327962484737)

------
leblancfg
At first glance, this seems irresponsible from the part of the author. Contact
Apple first and let them know, only release your repo if you don't get an
answer, and make sure to let the world know in your README.md.

The engineers at Apple are just as human as you are.

~~~
entrocode
I am not the author, but it looks like they added exactly this info 5 hours
ago, possibly due to your comment (8 hours ago). Cheers

~~~
leblancfg
Thanks for the update!

------
mfrager
Ouch! This looks really bad. If/when Apple fixes this it may require all 3rd-
party software that accesses the keychain to be updated. However that's not
for sure. We will have to wait and see.

