Visit our Expo show page for full coverage of all show announcements
Troubleshooting/Tutorials/Security

03/19/2003, 8:40am, EST

Wednesday, March 19th

[::FROM::] [::SiteName::]

OS X 10.2.4 bug exposes .Mac passwords

[::related_name_google::] [::related_name_google1::]
[::related_stories_google::] [::related_products_google::]
MacNN reader Will Dean reports on a security hole in Mac OS X 10.2.4, which exposes a user's .Mac password as plain text. (Earlier this week, Apple notified customers of Samba Security Bug in OS X and promised an update.)
"This bug has been confirmed in Mac OS X 10.2.4 and also occurs in a recently leaked build of 10.2.5 (6L11) and may affect older versions as well. There is a major security hole in the Keychain Access application.

"When you open up the Keychain application, you will see a list of stored passwords for the various services, such as your e-mail, Airport and iChat. When a user opens the Keychain application and selects the iTools password keychain and then clicks on the "show passphrase" option (on bottom of page), the user's .Mac password will be exposed [in plain text] without authentication.

"The only way to protect the password is to lock all keychains; by default Apple sets all keychains to unlock. Whenever you unlock a keychain all of them unlock. Note: This bug only affects a user's .Mac password, not other passwords in the Keychain. [Other Keychain password entries require authentication before the display of the password. Users can also change the 'Access Control' of the password to protect the display of this password.]" [updated]

[::digg_button::]

[::news_tags::]

, [::delicious::][::slashdot::][::digg::][::buzz::] [::twitter::], 


[::doclix::]


[::boottext::] [::bootmark::]

[::layout::]

[::google::]
12 comments
Reader Reactions

subscribe to comments
for this article




107746 03/19, 9:15am, EST Pretty cool
Hm, it simply works. I belive, that Apple will soon update Keychain.app, which is anway terrible buggy - for example, it transcodes all special characters (like slash, or @) to html entities (%20) and then browser (camino or IE) rejects such a links.

posted by MacNN.com Reader

107748 03/19, 9:41am, EST 1 down X to go
Theres more bugs, this isn't the last you'll hear. No different than any other operating system.

posted by MacNN.com Reader

107749 03/19, 9:43am, EST No... this is no bug.
This is really no bug. This is how the .Mac keychain item is configured.

I you are paranoid about it, you can change it with Keychain Manager:

- select your .Mac keychain item
- select the "Access control" tab
- change access to "Confirm..."

posted by MacNN.com Reader

107751 03/19, 10:09am, EST Re: bug
And its only a bug if you leave your machine logged in and without locking the screen. Which, if you're in an envioronment where such stuff concerns you, you wouldn't do. And if you're not in such an environment, then who gives a flying leap.

This reminds me of some hullabaloo with an earlier version of X (or 9, don't remember which). back then, the keychain always asked for your password to open up, which annoyed many users, so someone came up with a script to auto-unlock the keychaing at boot up (or whenever you double-clicked the script). But people went nuts because the password was stored unencrypted (if you can read the script, you have the password! Aiiiggghhh!!!). It took awhile for a sane person to jump in and say "Hey, if someone has access to your machine to read the script, they probably have access to run it, and then they can just access your keychain anyway."

posted by MacNN.com Reader

107754 03/19, 10:22am, EST No big deal.
You have to have access to the account first. It's not like someone can sit at the login screen and view passwords. I dare say that in 99% of home environments this isn't even an issue. Now if an attacker could get this through the network without authenticating then we would have an issue.

posted by MacNN.com Reader

107756 03/19, 10:36am, EST Not a bug
My machine requires me to authenticate before it will show the password so unless you have my password this will never work.

posted by MacNN.com Reader

107762 03/19, 11:36am, EST No Bug
While this does, indeed, sound like a not very good thing, it's actually not much of a bug -- it's a feature with an insecure setting. For whatever reason, the .mac Keychain entry is set to not require authorization prior to viewing. If this bothers you a lot, you can fix this "bug" yourself with a few mouse clicks.

Open the Keychain Access application and click on the 'iTools password' entry. Click on the Access Control tab, and notice that this key is set to 'Always allow access to this item.' That's the "bug." To fix it, just click on 'Confirm before allowing access' and 'Ask for Keychain password.' Click Save Changes and enter your Keychain password. That's the end of the "bug."

Part of the power of Keychain Access is that it lets you be as secure as you want to be; you can "introduce" this bug in other passwords just by switching their settings to 'Always allow access to this item.' So please, don't worry about this particular security bug -- it's really nothing more than a switch that wasn't set to the highest security level upon leaving the factory.
_________________________

posted by MacNN.com Reader

107766 03/19, 12:14pm, EST The above text...
The text you see above this comment, which was posted by someone other than me, was copied and pasted verbatim from my website. I wrote the original text this morning, and someone felt like pasting it here without attribution or permission.

I wrote a similar message to this effect five minutes ago, and it's now been deleted.

For the record, you can find the original text on macosxhints.com ... in the future, if you feel like copying my work again, you could at least provide an attribution to the source.

-rob.

posted by MacNN.com Reader

107768 03/19, 12:16pm, EST .macRefuge.com
Yet another reason to go with http://www.macRefuge.com

posted by MacNN.com Reader

107772 03/19, 12:23pm, EST Crap!
I just checked, and Keychain shows me my MacRefuge.com password without having me authenticate! Arrrrgggghhhh!!!

posted by MacNN.com Reader

additional comments:..1..2..Next
Your Comments

In order to post comments: If you are a registered member, please login with your MacNN Forums username and password otherwise please uncheck the checkbox below.


Registered Member? (uncheck if you wish to post without logging in)
 
macnn forums login:

macnn forums password:

Not a member of the MacNN forums? Register now for free.
Want To Sell Your Laptop? Any Condition - receive Top Cash. Get an instant quote. Free shipping www.CashForLaptops.com

Internet Marketing School - 100% Online: Master SEO, SEM, E Commerce, Media & More with a U of San Francisco Certificate.

Buy from The Apple Store, iTunes.com, Amazon.com, TechDepot, OfficeDepot, Computers4Sure, or donate.