toggle

AAPL Stock: 428.02 ( -3.75 )

http://www.macnn.com/articles/03/03/19/os.x/

OS X 10.2.4 bug exposes .Mac passwords

updated 08:40 am EST, Wed March 19, 2003

 
", 0, 0);


MacNN reader Will Dean reports on a security hole in Mac OS X 10.2.4, which exposes a user's .Mac password as plain text. (Earlier this week, Apple notified customers of and promised an update.)

"This bug has been confirmed in Mac OS X 10.2.4 and also occurs in a recently leaked build of 10.2.5 (6L11) and may affect older versions as well. There is a major security hole in the Keychain Access application.

"When you open up the Keychain application, you will see a list of stored passwords for the various services, such as your e-mail, Airport and iChat. When a user opens the Keychain application and selects the iTools password keychain and then clicks on the "show passphrase" option (on bottom of page), the user's .Mac password will be exposed [in plain text] without authentication.

"The only way to protect the password is to lock all keychains; by default Apple sets all keychains to unlock. Whenever you unlock a keychain all of them unlock. Note: This bug only affects a user's .Mac password, not other passwords in the Keychain. [Other Keychain password entries require authentication before the display of the password. Users can also change the 'Access Control' of the password to protect the display of this password.]" [updated]


by MacNN Staff

Post tools:

TAGS :

 troubleshooting

Related Articles

Recent Articles

toggle

Comments

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    03/19, 09:15am | report spam | Reply |

    Pretty cool

    Hm, it simply works. I belive, that Apple will soon update Keychain.app, which is anway terrible buggy - for example, it transcodes all special characters (like slash, or @) to html entities (%20) and then browser (camino or IE) rejects such a links.

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    03/19, 09:41am | report spam | Reply |

    1 down X to go

    Theres more bugs, this isn't the last you'll hear. No different than any other operating system.

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    03/19, 09:43am | report spam | Reply |

    No... this is no bug.

    This is really no bug. This is how the .Mac keychain item is configured.

    I you are paranoid about it, you can change it with Keychain Manager:

    - select your .Mac keychain item
    - select the "Access control" tab
    - change access to "Confirm..."

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    03/19, 10:09am | report spam | Reply |

    Re: bug

    And its only a bug if you leave your machine logged in and without locking the screen. Which, if you're in an envioronment where such stuff concerns you, you wouldn't do. And if you're not in such an environment, then who gives a flying leap.

    This reminds me of some hullabaloo with an earlier version of X (or 9, don't remember which). back then, the keychain always asked for your password to open up, which annoyed many users, so someone came up with a script to auto-unlock the keychaing at boot up (or whenever you double-clicked the script). But people went nuts because the password was stored unencrypted (if you can read the script, you have the password! Aiiiggghhh!!!). It took awhile for a sane person to jump in and say "Hey, if someone has access to your machine to read the script, they probably have access to run it, and then they can just access your keychain anyway."

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    03/19, 10:22am | report spam | Reply |

    No big deal.

    You have to have access to the account first. It's not like someone can sit at the login screen and view passwords. I dare say that in 99% of home environments this isn't even an issue. Now if an attacker could get this through the network without authenticating then we would have an issue.

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    03/19, 10:36am | report spam | Reply |

    Not a bug

    My machine requires me to authenticate before it will show the password so unless you have my password this will never work.

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    03/19, 11:36am | report spam | Reply |

    No Bug

    While this does, indeed, sound like a not very good thing, it's actually not much of a bug -- it's a feature with an insecure setting. For whatever reason, the .mac Keychain entry is set to not require authorization prior to viewing. If this bothers you a lot, you can fix this "bug" yourself with a few mouse clicks.

    Open the Keychain Access application and click on the 'iTools password' entry. Click on the Access Control tab, and notice that this key is set to 'Always allow access to this item.' That's the "bug." To fix it, just click on 'Confirm before allowing access' and 'Ask for Keychain password.' Click Save Changes and enter your Keychain password. That's the end of the "bug."

    Part of the power of Keychain Access is that it lets you be as secure as you want to be; you can "introduce" this bug in other passwords just by switching their settings to 'Always allow access to this item.' So please, don't worry about this particular security bug -- it's really nothing more than a switch that wasn't set to the highest security level upon leaving the factory.
    _________________________

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    03/19, 12:14pm | report spam | Reply |

    The above text...

    The text you see above this comment, which was posted by someone other than me, was copied and pasted verbatim from my website. I wrote the original text this morning, and someone felt like pasting it here without attribution or permission.

    I wrote a similar message to this effect five minutes ago, and it's now been deleted.

    For the record, you can find the original text on macosxhints.com ... in the future, if you feel like copying my work again, you could at least provide an attribution to the source.

    -rob.

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    03/19, 12:16pm | report spam | Reply |

    .macRefuge.com

    Yet another reason to go with http://www.macRefuge.com

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    03/19, 12:23pm | report spam | Reply |

    c***!

    I just checked, and Keychain shows me my MacRefuge.com password without having me authenticate! Arrrrgggghhhh!!!

Show More Comments

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Logitech FabricSkin Keyboard Folio for iPad

Since the fourth-generation iPad didn't evolve much over its predecessor, the market for iPad accessories has remained somewhat static ...

Huawei Ascend Mate

The Huawei Ascend Mate is a phone that fits the screen-size gap between the 4 to 5-inch smartphone and the seven-inch or more tablet, ...

MaxUpgrades MaxConnect for 2006-2008 Mac Pro

Nobody outside of Cupertino's privileged bunch knows the future of the Mac Pro line for sure. Despite Apple's reluctance to tell us wh ...

toggle

Most Commented

 

Popular News