Two developers have discovered a Mac Keychain vulnerability that hackers can easily exploit to steal passwords, certificates, et cetera with very little user interaction needed. Antoine Vincent Jebara and Raja Rahbani stumbled upon the flaw while working on the Keychain for their identity management software Myki. They found out that attackers can craft commands that can make Mac’s password management system prompt users to click an “Allow button” instead of asking them to type in their passwords. Once a user clicks that button, the malicious code can forward Keychain’s contents via text, though the info could also be saved somewhere for download later on.
The malware required to trigger that process can be introduced into the victim’s computer via innocuous files such as images, documents and spreadsheets. In fact, the proof of concept Rahbani and Jebara developed to test out what they discovered launches the malware-wrapped image in Preview after you click Allow. They designed it that way to show how that method can be used to allay any suspicion brewing in the back of the victim’s mind.
In an email to Engadget, Jebara said that they have already notified Apple of the vulnerability and are waiting to hear back. He explained that they decided to come out with this information because it could be extremely harmful to users if exploited. By knowing the flaw’s nature, you can at least protect yourself by not click strange buttons that pop up in Keychain.
We disclosed because we feel that it is the right thing to do knowing that a vulnerability of this magnitude would have disastrous consequences (you wouldn’t be able to open any third-party file on your computer without the risk of losing all of your sensitive information until Apple issues a patch)…
The vulnerability is extremely critical as it allows anyone to steal all of your passwords remotely by simply downloading a file that doesn’t look malicious at all and that can’t be detected by malware detectors because it doesn’t behave the way malware usually does.