Mac OS X Security Bug: If you are an .Mac (aka iTools) user you need to be aware! This bug has been confirmed in 10.2.4 and also occurs in a recently leaked build of 10.2.5 (6L11) and may affect older versions as well.While this does, indeed, sound like a not very good thing, it's actually not much of a bug -- it's a feature with an insecure setting. For whatever reason, the .mac Keychain entry is set to not require authorization prior to viewing. If this bothers you a lot, you can fix this "bug" yourself with a few mouse clicks.
There is a major security hole in the Keychain Access application. Here is what happens. When you open up the Keychain application, you will see a list of stored passwords for the various services, such as your e-mail, Airport and iChat. When a user opens the Keychain application and selects the iTools password keychain and then clicks on the 'Show Passphrase' (on bottom of page), the user's .Mac password will be exposed without authentication.
The only way to protect the iTools is to lock all keychains and by default Apple sets all keychains to unlock. Whenever you unlock a keychain all of them unlock.
NOTE: THIS BUG ONLY APPLIES TO .MAC USERS, NOT OTHER KEYCHAINS.
Open the Keychain Access application and click on the 'iTools password' entry. Click on the Access Control tab, and notice that this key is set to 'Always allow access to this item.' That's the "bug." To fix it, just click on 'Confirm before allowing access' and 'Ask for Keychain password.' Click Save Changes and enter your Keychain password. That's the end of the "bug."
Part of the power of Keychain Access is that it lets you be as secure as you want to be; you can "introduce" this bug in other passwords just by switching their settings to 'Always allow access to this item.' So please, don't worry about this particular security bug -- it's really nothing more than a switch that wasn't set to the highest security level upon leaving the factory.

