I received the following note from Anonymous today concerning a security exposure bug with .mac and Keychain Access (I also noticed the same warning on MacNN this morning). But before you have a mild panic over the following, please read the whole hint -- it's not as bad as the quote may imply...
Mac OS X Security Bug: If you are an .Mac (aka iTools) user you need to be aware! This bug has been confirmed in 10.2.4 and also occurs in a recently leaked build of 10.2.5 (6L11) and may affect older versions as well.While this does, indeed, sound like a not very good thing, it's actually not much of a bug -- it's a feature with an insecure setting. For whatever reason, the .mac Keychain entry is set to not require authorization prior to viewing. If this bothers you a lot, you can fix this "bug" yourself with a few mouse clicks.
There is a major security hole in the Keychain Access application. Here is what happens. When you open up the Keychain application, you will see a list of stored passwords for the various services, such as your e-mail, Airport and iChat. When a user opens the Keychain application and selects the iTools password keychain and then clicks on the 'Show Passphrase' (on bottom of page), the user's .Mac password will be exposed without authentication.
The only way to protect the iTools is to lock all keychains and by default Apple sets all keychains to unlock. Whenever you unlock a keychain all of them unlock.
NOTE: THIS BUG ONLY APPLIES TO .MAC USERS, NOT OTHER KEYCHAINS.
Mac OS X Hints
http://hints.macworld.com/article.php?story=2003031906482914