OS X 10.2.4 bug exposes .Mac passwords

Hm, it simply works. I belive, that Apple will soon update Keychain.app, which is anway terrible buggy - for example, it transcodes all special characters (like slash, or @) to html entities (%20) and then browser (camino or IE) rejects such a links.

posted by MacNN.com Reader

Theres more bugs, this isn't the last you'll hear. No different than any other operating system.

posted by MacNN.com Reader

This is really no bug. This is how the .Mac keychain item is configured.

I you are paranoid about it, you can change it with Keychain Manager:

- select your .Mac keychain item
- select the "Access control" tab
- change access to "Confirm..."

posted by MacNN.com Reader

And its only a bug if you leave your machine logged in and without locking the screen. Which, if you're in an envioronment where such stuff concerns you, you wouldn't do. And if you're not in such an environment, then who gives a flying leap.

This reminds me of some hullabaloo with an earlier version of X (or 9, don't remember which). back then, the keychain always asked for your password to open up, which annoyed many users, so someone came up with a script to auto-unlock the keychaing at boot up (or whenever you double-clicked the script). But people went nuts because the password was stored unencrypted (if you can read the script, you have the password! Aiiiggghhh!!!). It took awhile for a sane person to jump in and say "Hey, if someone has access to your machine to read the script, they probably have access to run it, and then they can just access your keychain anyway."

posted by MacNN.com Reader

You have to have access to the account first. It's not like someone can sit at the login screen and view passwords. I dare say that in 99% of home environments this isn't even an issue. Now if an attacker could get this through the network without authenticating then we would have an issue.

posted by MacNN.com Reader

My machine requires me to authenticate before it will show the password so unless you have my password this will never work.

posted by MacNN.com Reader

While this does, indeed, sound like a not very good thing, it's actually not much of a bug -- it's a feature with an insecure setting. For whatever reason, the .mac Keychain entry is set to not require authorization prior to viewing. If this bothers you a lot, you can fix this "bug" yourself with a few mouse clicks.

Open the Keychain Access application and click on the 'iTools password' entry. Click on the Access Control tab, and notice that this key is set to 'Always allow access to this item.' That's the "bug." To fix it, just click on 'Confirm before allowing access' and 'Ask for Keychain password.' Click Save Changes and enter your Keychain password. That's the end of the "bug."

Part of the power of Keychain Access is that it lets you be as secure as you want to be; you can "introduce" this bug in other passwords just by switching their settings to 'Always allow access to this item.' So please, don't worry about this particular security bug -- it's really nothing more than a switch that wasn't set to the highest security level upon leaving the factory.
_________________________

posted by MacNN.com Reader

The text you see above this comment, which was posted by someone other than me, was copied and pasted verbatim from my website. I wrote the original text this morning, and someone felt like pasting it here without attribution or permission.

I wrote a similar message to this effect five minutes ago, and it's now been deleted.

For the record, you can find the original text on macosxhints.com ... in the future, if you feel like copying my work again, you could at least provide an attribution to the source.

-rob.

posted by MacNN.com Reader

Yet another reason to go with http://www.macRefuge.com

posted by MacNN.com Reader

I just checked, and Keychain shows me my MacRefuge.com password without having me authenticate! Arrrrgggghhhh!!!

posted by MacNN.com Reader