
New open-source app extracts passwords stored in Mac OS X keychain - rkudeshi
http://arstechnica.com/security/2012/09/mac-os-x-keychain-pillaging-app/
======
tptacek
The OS X Keychain is designed to mitigate the impact of losing code execution
_in a user context_. This is important because on most Mac systems, all the
data anyone cares about is stored under the user's UID; nobody really cares
about escalating privileges on a single-user system. What Keychain does is
create a repository for data that can't be read even if you can execve()
arbitrary programs under the UID of the owner of that data.

From that vantage point, a mechanism that breaches the Keychain for a
superuser isn't interesting as a system-level flaw. The OS X superuser also
owns the kernel and every keystroke entered into the system. The Keychain
isn't an impregnable fortress; it is just a scheme for requiring a login for a
user to read some of their own data.

------
0x0
It would still seem that the OSX/iOS keychain access is miles ahead of other
platforms. (I was very impressed to learn that on iOS, you can mark a file
with various data protection flags, which encrypts the file on flash, and only
allows open when the screen is unlocked (because the encryption key is derived
from the screen-lock unlock code, and purged from memory immediately at screen
lock time)). See for example
[http://developer.apple.com/library/ios/#DOCUMENTATION/Cocoa/...](http://developer.apple.com/library/ios/#DOCUMENTATION/Cocoa/Reference/Foundation/Classes/NSFileManager_Class/Reference/Reference.html#//apple_ref/c/data/NSFileProtectionComplete)

Does desktop linux, android or windows provide similar facilities where the
keys are actually not available for reading by processes running under the
user's UID? I found [http://stackoverflow.com/questions/442923/windows-
equivalent...](http://stackoverflow.com/questions/442923/windows-equivalent-
of-os-x-keychain) which sort of hints on some win32 APIs providing something
like this, but with very high overhead (and also links to scary blogposts
about weakened crypto in i18n'ed windows releases!)

------
pooriaazimi
A more informative title for the article could be:

    
    
        New open-source app WHEN EXECUTED WITH ROOT PRIVILEGES
        extracts passwords stored in Mac OS X keychain

------
evmar
Linux users might be surprised to learn that their passwords are often
readable by random code, just by calling the public API:

<https://github.com/martine/keyring-dump>

------
darkarmani
This is still important information to have. Most power users have sudo
privileges. Now it is really obvious that when you get rooted while using
sudo, all of the unlocked keychain items can be read from memory (before you
are alerted that you are rooted).

Keychain still mitigates this attac, though, because until you unlock your
items they are secure. If you use the same password for all of your keychains,
the malware might have already captured the password, but if you different
passwords for different keychains you still have a chance at being secure.

------
dzhiurgis
Yes, but where's the scandal? Once in a while when I work in my university
library I check out if there's any computers connected via Bonjour. Once in a
while they don't have root password at all and you can simply locate they
keychain database and import to your own Keychain Access app. Because they
don't set the password you can unlock the keychain and see the passwords
stored. I even back up my keychains before doing clean reinstalls. I think
it's a feature than a bug.

------
hannibalhorn
This is great! Back when I used the keychain exclusively, I looked at getting
all this data out in an automated fashion in order to sync all my passwords to
my iPhone. It definitely wasn't an easy thing to do (without lots of modal
pop-ups, anyway.)

I wound up deciding it was a lot easier and cheaper to just switch to
1Password, and havn't looked back, but remember the frustration I felt due to
the fact that this data was so hard to get at.

------
callmevlad
Please excuse my ignorance on the subject, but why does OS X need to encrypt
and store my actual password? The prevailing best practice seems to be that
app owners should only have enough information to determine whether a password
is correct (e.g. hashing, bcrypt, etc), but not enough information to get the
a user's actual password (without impractical heavy computation). Is there a
good reason why this is any different for OS X?

~~~
frl374
The keychain is the part of OS X that stores your passwords for websites (and
other things), so you don't have to remember and type them in every time.
Safari uses it to auto-fill login forms, for example.

~~~
callmevlad
Oh, I see, thank you! For some reason, I had assumed that it was used for
storing local user accounts.

