![]() ![]() It suggests complex passwords to use and keeps track of them across multiple devices for later use. Those passwords are only accessible once you enter your Apple ID login and password, and those are protected using two-factor authentication and encryption.Ī relatively new iCloud Keychain feature monitors existing logins to ensure they haven't been involved in a data breach. "A few weeks later I decided to send Apple my exploit, and then they fixed it, but I still don’t have a response from them about the bug bounty program.Apple's native password tool addresses two primary needs. "In the beginning I was trying to get them to tell me why Apple doesn’t have a bug bounty program for macOS," Henze says. Henze, who just turned 19, points out that Apple's bug bounty is only for the most critical iOS flaws like kernel bugs and doesn't apply to a vulnerability like KeySteal in a macOS application. "I’ve seen plenty of attacks against the keychain, so although this one was a stealthy new technique, gaining access to passwords in the keychain is far from unheard of." "I hate to say it, but I really wasn’t particularly surprised by KeySteal," says Thomas Reed, a Mac research specialist at the security firm Malwarebytes. Mac researchers emphasize that keychain attacks are fairly common-and are therefore a crucial area for Apple to continue to improve. Apple did not return multiple requests from WIRED for comment on the mechanics of KeySteal or Henze's disclosure. In this way, Henze could trick the security service into piping the decrypted contents of the keychain into an application he controlled.Īpple's patch fixes the flaw and blocks the attack by preventing the security service from trusting manipulated sessions. It was possible, Henze discovered, to manipulate the session between Safari and the security service to make it seem like the session was initiated by the special, trusted keychain admin program that doesn't require user authentication. ![]() ![]() Basically, it's a reliably fruitful target for an attacker to hit, and other researchers have warned about keychain attacks in the past. The service can also store digital certificates used in web encryption and be used to manage public and private keys for encryption. Even if you don't use it as your primary password organizer, there's probably still sensitive stuff in there: The keychain is so seamlessly integrated into macOS that you may have saved some login credentials there without realizing it. Now, having eventually changed his mind and revealed it to Apple, he is also showing exactly how it works at the Objective by the Sea Mac security conference in Monaco this weekend.Īpple's keychain is essentially a native macOS password manager. Initially, Henze refused to share details of his hack with Apple, telling media outlets that it was because the company does not have a bug bounty program for macOS. Apple patched the flaw that KeySteal was exploiting at the end of March. Dubbed KeySteal, the attack called attention to the fact that the macOS keychain makes a very attractive target for hackers. "You know, the ones 'securely' stored so that no one can steal them :)" he wrote. In early February, an 18-year-old German security researcher named Linus Henze demonstrated a macOS attack that would allow a malicious application to grab passwords from Apple's protected keychain. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |