You are using an older browser version. Please use a supported version for the best MSN experience.

Mac keychain flaw can send your passwords to hackers via text

Engadget logo Engadget 2015-09-02 Mariella Moon
keychain© mangpages/Flickr keychain

Antoine Vincent Jebara and Raja Rahbani have discovered a Mac Keychain vulnerability that hackers can easily exploit to steal passwords, certificates, etc. with very little user interaction needed. The duo stumbled upon the flaw while working on the Keychain for their identity management software Myki. They found out that attackers can craft commands that can make Mac's password management system prompt users to click an "Allow button" instead of asking them to type in their passwords. Once a user clicks that button, the malicious code can forward Keychain's contents via text, though the info could also be saved somewhere for download later on.

The malware required to trigger that process can be introduced into the victim's computer via innocuous files such as images, documents and spreadsheets. In fact, the proof of concept Rahbani and Jebara developed to test out what they discovered launches the malware-wrapped image in Preview after you click Allow. They designed it that way to show how that method can be used to allay any suspicion brewing in the back of the victim's mind.

In Jebara's email to Engadget, he said they already notified Apple of the vulnerability and are waiting to hear back. He explained that they decided to come out with this information, because it could be extremely harmful to users if exploited. By knowing the flaw's nature, you can at least protect yourself by not click strange buttons that pop up in Keychain.

We disclosed because we feel that it is the right thing to do knowing that a vulnerability of this magnitude would have disastrous consequences (you wouldn't be able to open any third-party file on your computer without the risk of losing all of your sensitive information until Apple issues a patch)...

The vulnerability is extremely critical as it allows anyone to steal all of your passwords remotely by simply downloading a file that doesn't look malicious at all and that can't be detected by malware detectors because it doesn't behave the way malware usually does.

AdChoices
AdChoices
AdChoices

More from Engadget

image beaconimage beaconimage beacon