The .mac Keychain Access 'not a bug' bug

Mar 19, '03 09:57:00AM

Contributed by: robg

I received the following note from Anonymous today concerning a security exposure bug with .mac and Keychain Access (I also noticed the same warning on MacNN this morning). But before you have a mild panic over the following, please read the whole hint -- it's not as bad as the quote may imply...

Mac OS X Security Bug: If you are an .Mac (aka iTools) user you need to be aware! This bug has been confirmed in 10.2.4 and also occurs in a recently leaked build of 10.2.5 (6L11) and may affect older versions as well.

There is a major security hole in the Keychain Access application. Here is what happens. When you open up the Keychain application, you will see a list of stored passwords for the various services, such as your e-mail, Airport and iChat. When a user opens the Keychain application and selects the iTools password keychain and then clicks on the 'Show Passphrase' (on bottom of page), the user's .Mac password will be exposed without authentication.

The only way to protect the iTools is to lock all keychains and by default Apple sets all keychains to unlock. Whenever you unlock a keychain all of them unlock.

NOTE: THIS BUG ONLY APPLIES TO .MAC USERS, NOT OTHER KEYCHAINS.
While this does, indeed, sound like a not very good thing, it's actually not much of a bug -- it's a feature with an insecure setting. For whatever reason, the .mac Keychain entry is set to not require authorization prior to viewing. If this bothers you a lot, you can fix this "bug" yourself with a few mouse clicks.

Open the Keychain Access application and click on the 'iTools password' entry. Click on the Access Control tab, and notice that this key is set to 'Always allow access to this item.' That's the "bug." To fix it, just click on 'Confirm before allowing access' and 'Ask for Keychain password.' Click Save Changes and enter your Keychain password. That's the end of the "bug."

Part of the power of Keychain Access is that it lets you be as secure as you want to be; you can "introduce" this bug in other passwords just by switching their settings to 'Always allow access to this item.' So please, don't worry about this particular security bug -- it's really nothing more than a switch that wasn't set to the highest security level upon leaving the factory.

Comments (8)


Mac OS X Hints
http://hints.macworld.com/article.php?story=2003031906482914