Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

The .mac Keychain Access 'not a bug' bug System
I received the following note from Anonymous today concerning a security exposure bug with .mac and Keychain Access (I also noticed the same warning on MacNN this morning). But before you have a mild panic over the following, please read the whole hint -- it's not as bad as the quote may imply...
Mac OS X Security Bug: If you are an .Mac (aka iTools) user you need to be aware! This bug has been confirmed in 10.2.4 and also occurs in a recently leaked build of 10.2.5 (6L11) and may affect older versions as well.

There is a major security hole in the Keychain Access application. Here is what happens. When you open up the Keychain application, you will see a list of stored passwords for the various services, such as your e-mail, Airport and iChat. When a user opens the Keychain application and selects the iTools password keychain and then clicks on the 'Show Passphrase' (on bottom of page), the user's .Mac password will be exposed without authentication.

The only way to protect the iTools is to lock all keychains and by default Apple sets all keychains to unlock. Whenever you unlock a keychain all of them unlock.

NOTE: THIS BUG ONLY APPLIES TO .MAC USERS, NOT OTHER KEYCHAINS.
While this does, indeed, sound like a not very good thing, it's actually not much of a bug -- it's a feature with an insecure setting. For whatever reason, the .mac Keychain entry is set to not require authorization prior to viewing. If this bothers you a lot, you can fix this "bug" yourself with a few mouse clicks.

Open the Keychain Access application and click on the 'iTools password' entry. Click on the Access Control tab, and notice that this key is set to 'Always allow access to this item.' That's the "bug." To fix it, just click on 'Confirm before allowing access' and 'Ask for Keychain password.' Click Save Changes and enter your Keychain password. That's the end of the "bug."

Part of the power of Keychain Access is that it lets you be as secure as you want to be; you can "introduce" this bug in other passwords just by switching their settings to 'Always allow access to this item.' So please, don't worry about this particular security bug -- it's really nothing more than a switch that wasn't set to the highest security level upon leaving the factory.
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)
 
[18,581 views]  

The .mac Keychain Access 'not a bug' bug | 8 comments | Create New Account
Click here to return to the 'The .mac Keychain Access 'not a bug' bug' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
The .mac Keychain Access 'not a bug' bug
Authored by: terceiro on Mar 19, '03 11:22:00AM

Horray for this hint! I love hearing a voice of sanity when everyone else is chicken-little-ing it.



[ Reply to This | # ]
The .mac Keychain Access 'not a bug' bug
Authored by: robmorton on Mar 19, '03 12:18:54PM

I am not a .Mac user, but when it was free it used standard pop. That means you are sending your password in clear text across the internet anyway. If that is the same, why would anyone think their password is "secure" anyway?



[ Reply to This | # ]
The .mac Keychain Access 'not a bug' bug
Authored by: Mithrandir on Mar 19, '03 12:21:19PM

The new pay service allows you to encrypt all traffic...

---
Josh

Ultimate Art Gallery
http://UltimateArtGallery.com



[ Reply to This | # ]
The .mac Keychain Access 'not a bug' bug
Authored by: Jaharmi on Mar 24, '03 12:06:21PM

Before the .Mac service became a pay-for service, you could encrypt all traffic. For a while after iTools became .Mac, I had problems using the secure protocols. I tried enabling more-secure logins and SSL again this month (March 2003) and they work again.

I'm not sure whether the iDisk feature supports HTTPS or not. I know in the early days of iTools on Mac OS X, you could start a connection by using an HTTP URL, but that doesn't necessarily mean anything.



[ Reply to This | # ]
The .mac Keychain Access 'not a bug' bug
Authored by: Mithrandir on Mar 19, '03 12:19:15PM

My iTools Keychain was created in July 2002 and is set to properly hide this password. This was probably set while running Mac OS X 10.1.

I have carried over the same user account and home directory since the public beta so who knows where this got changed...

---
Josh

Ultimate Art Gallery
http://UltimateArtGallery.com



[ Reply to This | # ]
The .mac Keychain Access 'not a bug' bug
Authored by: scaryfish on Mar 19, '03 04:20:19PM
IIRC, this has been a "problem" for quite a while.

I don't really see what the fuss is about - if your keychain is unlocked then people can access your password. Whether they do it through Keychain Access or if they use a custom program that just requests it and displays it, they can still get at it easily enough. The soludion is simple - lock your keychain when you're away from your computer.

And disable auto-login (or at least make your keychain password different from your login password so it doesn't automatically unlock at login)

---
=)


[ Reply to This | # ]

Not true!
Authored by: mingking on Mar 20, '03 01:26:38PM

It is NOT true that once you open your Keychain Access application you then automatically can see all your passwords. Each entry has an Access Control setting that says which applications can access the password. By default, the Keychain Access application itself does not have access to the passwords. If you select 'show passphrase' it will normally then ask you for the password at that time and ask you what policy you want to assign for the Keychain Access application. If you choose 'Allow Always' that means the Keychain Access application Always has access to that password without prompting. That is where the problem lies. You normally want e.g. the Mail application to have 'Always' access, which happens in a way that is not visible to anyone, but you DON'T normally want the Keychain Access application to have Always access to the password. In fact, I don't see any reason for an option like that at all. Why would you ever want to Always let one application display all of your passwords in plain text?

Security should be conservative by default. It should be very clear what the implications are of assigning a policy of Always for each application. Like I said, for e.g. Mail, that is what you want, but NOT for an application like Keychain Access.

Note this is not a problem soley with .Mac access. As noted in another post here, this could be a problem for any password entry, including those to ftp servers, bank accounts, encrypted files etc. I went through my keychain entries and found a half dozen that were set for Always access to the Keychain Access application. That is not what I ever intended. This should be tightened up.



[ Reply to This | # ]
The .mac Keychain Access 'not a bug' bug
Authored by: tonyinsf on Mar 19, '03 04:36:17PM

This 'bug' is not for .mac only, it affect your AIM password, your ftp server password, your earthlink password, etc. etc.



[ Reply to This | # ]