updated 08:40 am EST, Wed March 19, 2003
MacNN reader Will Dean reports on a security hole in Mac OS X 10.2.4, which exposes a user's .Mac password as plain text. (Earlier this week, Apple notified customers of and promised an update.)
"This bug has been confirmed in Mac OS X 10.2.4 and also occurs in a recently leaked build of 10.2.5 (6L11) and may affect older versions as well. There is a major security hole in the Keychain Access application.
"When you open up the Keychain application, you will see a list of stored passwords for the various services, such as your e-mail, Airport and iChat. When a user opens the Keychain application and selects the iTools password keychain and then clicks on the "show passphrase" option (on bottom of page), the user's .Mac password will be exposed [in plain text] without authentication.
"The only way to protect the password is to lock all keychains; by default Apple sets all keychains to unlock. Whenever you unlock a keychain all of them unlock. Note: This bug only affects a user's .Mac password, not other passwords in the Keychain. [Other Keychain password entries require authentication before the display of the password. Users can also change the 'Access Control' of the password to protect the display of this password.]" [updated]